Researcher’s discovered 2 critical Bluetooth vulnerabilities in BLE (Bluetooth Low Energy) is named as ” BLEEDINGBIT ” affected millions of BLE embedded devices that allows an attacker to access enterprise network without authentication.
These serious vulnerabilities existing in the BLE which is made by Texas Instruments (TI) that embedded in access points to provide Wi-Fi to enterprise networks.
It was discovered in network devices that manufactured by Cisco, Meraki, and Aruba which is used in almost 70% of worldwide computer networks.
The Critical flaw gives very sensitive access to attackers who can able to breaking network segmentation once they take over the Wi-Fi access point.
Apart from the network devices that using BLE chips, it also affected IoT devices, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts, the point of sales devices, smart locks, hotel chain, cars where BLE Chip establish established Bluetooth protocol.
These vulnerabilities introduce the new attack surface to network devices, such as access points which distribute Wi-Fi on an enterprise scale.
Both vulnerabilities that related to BLE chips are Remote code execution vulnerabilities existing in TI chip that embedded in many devices.
These Vulnerable BIE Chips responsible for wireless communication, they can be exploited remotely, via the air and it allows an attacker to penetrate the vulnerable network.
How Do BLEEDINGBIT Vulnerabilities works
Both vulnerabilities are working in different ways and both are mainly focusing on access point of the affected devices.
BLEEDINGBIT RCE Vulnerability (CVE-2018-16986)
Initially attackers exploit this vulnerability on nearby affected devices in order to turn on the BLE without any prior knowledge about the devices.
Later they send BLE broadcast messages(advertising packets) that will be stored in the memory of the vulnerable BLE chip in a targeted device which is remain undetected by the security software.
Attackers keep sending the overflow packets that causes the chip to allocate the much larger space to triggering an overflow of critical memory in the process.
This process leaks the memory pointer which leads an attack to leverage the code sent to the vulnerable chip in the previous stage of the attack.
Finally, an attacker can be able to run malicious code on the targeted system and install a backdoor on the vulnerable chip.
CVE-2018-16986 – Affected Device
|Cisco 1540 Aironet Series Outdoor Access Points||CSCvk44163||22.214.171.124|
|Cisco 1800i Aironet Access Points||CSCvk44163||126.96.36.199|
|Cisco 1810 Aironet Access Points||CSCvk44163||188.8.131.52|
|Cisco 1815i Aironet Access Points||CSCvk44163||184.108.40.206|
|Cisco 1815m Aironet Access Points||CSCvk44163||220.127.116.11|
|Cisco 1815w Aironet Access Points||CSCvk44163||18.104.22.168|
|Cisco 4800 Aironet Access Points||CSCvk44163||22.214.171.124|
|Meraki MR30H AP||N/A||MR 25.13 and later|
|Meraki MR33 AP||N/A||MR 25.13 and later|
|Meraki MR42E AP||N/A||MR 25.13 and later|
|Meraki MR53E AP||N/A||MR 25.13 and later|
|Meraki MR74||N/A||MR 25.13 and later|
BLEEDINGBIT OAD RCE Vulnerability (CVE-2018-7080)
Second Vulnerability mainly affected the Aruba Access Point Series 300 that helps to use the OAD future in TI.
According to armis research, This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware .
“However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code”
CVE-2018-7080 -Affected Device