Bleedingbit bugs could allow hackers to launch remote code execution attacks against companies around the globe

• By exploiting the bugs, an attacker could potentially target a vulnerable system located 100 to 300 feet away.
• Cisco, Meraki, and Aruba have prepared patches to resolve Bleedingbit's first flaw.

Two new zero-day vulnerabilities were discovered in Bluetooth Low-Energy (BLE) chips, which could expose multiple enterprise firms from around the world to remote code execution attacks. The set of vulnerabilities were dubbed as “Bleedingbit”. By exploiting the bugs, an attacker could potentially target a vulnerable system located 100 to 300 feet away.

BLE is a relatively new Bluetooth protocol designed for low-power consumption devices, such as IoT hardware. For various features such as its mesh capabilities, the new Bluetooth protocol evolves the protocol from consumer uses (headphones and smartphone data) to commercial IoT uses.The vulnerable Bluetooth Low-Energy chips were manufactured by Texas Instruments.

The vulnerabilities were discovered by Armis, which revealed details about the bug in a blog post, on Thursday. Millions of corporate networks such as Cisco, Meraki, and Aruba wireless access points (AP’s) use these vulnerable BLE chips in up to 70 to 80 percent of their enterprise products.

A Remote code execution vulnerability

One of the vulnerabilities, (CVE-2018-16986), is related to the Texas Instrument BLE chips cc2640/50, used in Cisco and Cisco Meraki access points. An unauthenticated attacker could exploit this flaw from a closer range to remotely execute malicious code on vulnerable systems.

“First, the attacker sends multiple benign BLE broadcast messages, called ‘advertising packets,’ which are stored on the memory of the vulnerable BLE chip in the targeted device,” the researchers said. “Next, the attacker sends the overflow packet, which is a standard advertising packet with a subtle alteration – a specific bit in its header turned on instead of off. This bit causes the chip to allocate the information from the packet to a much larger space than it really needs, triggering an overflow of critical memory in the process.”

The exposed memory can be exploited by hackers to run malicious code or program on a targeted system. By using commands to control the device wirelessly, hackers could obtain complete control over the processors of the wireless access point and compromise it for local and remote control attacks.

Vulnerability on over-the-air firmware download (OAD)

The other critical vulnerability, (CVE-2018-7080), was present in the over-the-air firmware downloading (OAD) and updating feature of TI chips, used in Aruba Wi-Fi access point series 300.

“This vulnerability is technically a backdoor in BLE chips that was designed as a development tool, but is active in these production access points,” Armis researchers said.

By exploiting the vulnerability, an attacker could access and install a completely new and different version of the firmware - technically rewriting the operating system of the device. Hence, by installing a vulnerable version of their own firmware attackers could gain control over targeted systems, take over the access points, spread malware and move across the network, said the researchers.

Affected devices

The vulnerability affects the following devices TI BLE chips, provided the vendor included the OAD feature in devices:

• cc2642r
• cc2640r2
• cc2640
• cc2650
• cc2540
• Cc2541

The risk posed by the vulnerability

“Bleedingbit is a wakeup call to enterprise security for two reasons,” said Armis CEO Yevgeny Dibrov. “First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device.”

Fixes for the vulnerability

Cisco, Meraki, and Aruba have prepared patches to resolve Bleedingbit's first flaw. The patches have already been released. Hence, manufacturers using the vulnerable TI chips should update to the latest version (BLE-STACK v2.2.2) to protect their systems against the bugs. Security researchers from Armis recommend that users disable the OAD feature in live environments to protect against the second vulnerability.