BLEEDINGBIT – Two Zero Day Vulnerabilities Affecting Wireless Access Point Bluetooth Chips

Wireless Access Points (WAPs) form the core of enterprise cyber security as they serve as a gateway to the enterprise network. A slight bug in this component can lead to huge damage. Recently, researchers discovered two zero-day vulnerabilities in the BLE chips of the access points. Together termed as “BLEEDINGBIT”, the flaws can trigger remote attacks on devices whilst beaching the network.

BLEEDINGBIT – Zero-Day Vulnerabilities In BLE Chips

A team of researchers at Armis Labs have discovered critical security flaws that could trigger remote attacks on enterprise networks. The researchers discovered a pair of zero-day vulnerabilities, which they collectively named as BLEEDINGBIT.

The vulnerability exists in Texas Instruments (TI) made Bluetooth Low Energy (BLE) chips. These faulty BLE chips are embedded in a number of WiFi related equipment and can allow an attacker to snoop into an enterprise’s network through their wireless access points.

While conducting the research, Armis primarily focused on network devices from Cisco, Meraki, and Aruba. This is because these brands constitute approximately 70% of the market. They found that these devices are vulnerable to BLEEDINGBIT.

The two zero-day vulnerabilities in this category have received CVE numbers CVE-2018-16986 and CVE-2018-7080. Together, these flaws can allow an attacker to take complete control of a target device.

The researchers have published their findings in a vulnerability report on their website. Nonetheless, they plan to present further details at the upcoming Black Hat Europe Conference. Until then, they will continue to “gauge the full reach of vulnerabilities”.

BLEEDINGBIT RCE Vulnerability (CVE-2018-16986)

The first vulnerability CVE-2018-16986 allows an attacker to execute arbitrary codes or create a DoS condition on the target device. As explained by Armis,

“The vulnerability can be exploited by an attacker in the vicinity of the affected device, provided its BLE is turned on, without any other prerequisites or knowledge about the device.”

To exploit the flaw, the attack occurs in two steps.

“First, the attacker sends multiple benign BLE broadcast messages, called “advertising packets,” which will be stored on the memory of the vulnerable BLE chip in the targeted device.”

At this stage, no security measures can detect this activity since the codes apparently appear harmless. They will, however, facilitate the later stage of the attack.

“Next, the attacker sends the overflow packet, which is a standard advertising packet with a subtle alteration – a specific bit in its header turned ON instead of off. This bit causes the chip to allocate the information from the packet a much larger space than it really needs, triggering an overflow of critical memory in the process. The leaked memory contains function pointers – memory that points to specific code segments, which the attacker can leverage to point to the code s/he sent to the vulnerable chip in the previous stage of the attack.”

Once done, the attacker gains complete control of the device, making him capable of running malicious codes. A successful exploit can even allow the attacker to spread laterally over the network. Hence, the devices in the vicinity of the victim device also become vulnerable.

BLEEDINGBIT OAD RCE Vulnerability (CVE-2018-7080)

The second BLEEDINGBIT flaw particularly affected Aruba devices and exists in the Over the Air firmware Download (OAD) feature. This backdoor bug can allow an attacker to push malicious firmware updates to the target device. As explained in the Armis advisory,

“In the case of Aruba’s access points, a hardcoded password was added (that is identical across all Aruba APs that support BLE) to prevent the OAD feature of being easily abused by attackers. However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code, effectively allowing a completely rewrite its operating system, thereby gaining full control over it.”

Products Vulnerable To BLEEDINGBIT

Armis stated that BLEEDINGBIT seemingly affects anyone running vulnerable wireless access points. At first, the flaws pose a risk to enterprise security as the attackers can snoop into their networks via vulnerable WAPs. In addition, the vulnerabilities also threaten the health sector. It is because the vulnerable TI BLE chips constitute an important part of most medical devices. For instance, pacemakers and insulin pumps.

Besides, any private entity having IoT devices running vulnerable BLE chips also remain exposed to the flaws.

While Armis continues to find out the extent of the flaws, Cisco and Aruba have published detailed security advisories confirming the bugs. Cisco has shared a complete list of Aironet and Meraki products vulnerable to the flaws and has also released patches. Whereas, Aruba, powered by Hewlett Packard enterprise, has also released patched updates.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients