Two critical vulnerabilities have been discovered in BLE (Bluetooth Low Energy) chips manufactured by Texas Instruments (TI). The vulnerabilities have been named BLEEDINGBIT. As this vulnerability affects the BLE chips, any device using said hardware is a potential target for exploitation. The following CVEs have been assigned to track BLEEDINGBIT vulnerability.
- BLEEDINGBIT RCE vulnerability (CVE-2018-16986)
- BLEEDINGBIT OAD RCE vulnerability (CVE-2018-7080)
Vulnerability
BLEEDINGBIT RCE vulnerability (CVE-2018-16986)
It is a memory corruption condition due to improper handling of malformed BLE packets. An attacker needs to be in the vicinity of the target access point to exploit the target AP. Initially BLE broadcast messages, called “advertising packets,” are directed towards the target. These packets are stored on the target and they contain custom code that will be triggered.
The next packet is a malformed advertising packet that will cause the AP to allocate more memory than required, this deviation is due to setting of a specific bit in the packet headers. This causes an overflow which the attacker can leverage to overwrite function pointers. From this point the attacker can target the processor,overcome network segmentation, spread laterally. The attacker can also carry out DoS attacks against the AP or other targets as well. Cisco has addresses this vulnerability in cisco-sa-20181101-ap.
BLEEDINGBIT OAD RCE vulnerability (CVE-2018-7080)
A vulnerability in Aruba AP firmware allows attacker to install malicious firmware on to the AP’s BLE (Bluetooth Low Energy) radio. The issue affects firmware for AP with embedded BLE radios. Upon successful exploitation an attacker can take over the access point. Aruba has addressed this issue in ARUBA-PSA-2018-006.
BLE is used for over the air firmware updates, it is a password protected feature. By default it is disabled. Unfortunately an attacker can retrieve the password either from the offline version of the device firmware or from the device itself. This password is hard coded and is identical across all Aruba APs that support BLE. Effectively an attacker can upload an entirely new custom firmware on to the device.
Mitigation
We request organizations to apply the latest fixes from the respective vendors to address BLEEDINGBIT vulnerability. If immediate patching is not possible please consider disabling BLE where ever applicable.
Qualys customers can scan using QID:43629 to detect vulnerable Aruba firmware versions. The QID is a potential check that uses SNMP to obtain the firmware version of the device. Qualys will continue to add and improve detections as more vendors release their updates addressing BLEEDINGBIT vulnerability.
Please continue to follow Qualys Threat Protection for information on BLEEDINGBIT vulnerability.
References
BleedingBit
ARUBA-PSA-2018-006
Texas Instruments Bluetooth Low Energy Denial of Service and Remote Code Execution Vulnerability