vSOC SPOT Report: BLEEDINGBIT
Posted by: GuidePoint Security
Overview
On November 1, 2018, security researchers at the IoT security firm Armis released information regarding a pair of vulnerabilities in Texas Instruments (TI) Bluetooth Low-Energy (BLE) chips used in Cisco and Aruba enterprise wireless access points. Dubbed BLEEDINGBIT, this vulnerability is leftover from the chips’ development process that allowed rapid firmware updates over the air.
Armis privately disclosed the bugs in July, prompting TI to develop a fix and provide it to OEMs. Aruba released an update on October 18, 2018 to address the issue. Cisco will release its update November 2, 2018.
Armis will discuss the issue in a presentation at Black Hat Europe on December 5-6, 2018. These vulnerabilities were assigned CVEs CVE-2018-16986 and CVE-2018-7080.
Technical Overview
Attackers can send a malicious broadcast message over Bluetooth to the BLE stack in the TI CC2640, CC2650, or CC2640R2 chips, triggering memory corruption, and giving the attacker the ability to create a denial of service, or in the worst case, access the underlying operating system, execute code, and create a backdoor. The attacker can then use the access point to capture traffic, bridge networks, jump to other access points, and/or attack other devices on the network.
It should be noted that the attacker does not have to be on the network to execute the attack and only needs to be within range of the wireless access point and the BLE broadcasts (up to roughly 300 feet away). In order to be exploited in Aruba devices, the BLE radio must be enabled (it is disabled by default on the Aruba devices) though Cisco devices currently do not have a workaround or mitigation.
Affected devices include the Cisco 1542, 1815, and 4800 access points, Cisco Meraki MR33, MR30H, MR74, and MR53E access points, and Aruba AP-300 and IAP-300 series access points.
Potential Impact
If an attack is successful on the wireless access point an unauthorized attacker is able to take over the device locally by manipulating the processor and then is able to convert that control to remotely on the device. Once in control of the device the attacker is able to capture traffic that passes through or pivot through an organization’s environment opening them to a much wider array of attacks.
What You Should Do
Scan your network for CVEs CVE-2018-16986 and CVE-2018-7080. Keep in mind that authentication will be required to successfully locate devices vulnerable to these CVEs with a vulnerability scanner.
Work with your network administrators to disable the BLE radio in Aruba access points, then update to ArubaOS 6.4.4.20 or later. When Cisco releases its updates on November 2, plan to deploy those updates as quickly as possible. Cisco’s security advisory includes detailed instructions to determine if a given Cisco device is vulnerable to these attacks.
Supporting Information
- https://armis.com/bleedingbit/
- https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-006.txt
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap
- https://www.zdnet.com/article/new-bleedingbit-zero-day-vulnerabilities-impact-majority-of-enterprises-at-the-chip-level/
- https://www.blackhat.com/eu-18/briefings/schedule/index.html#bleedingbit-your-aps-belong-to-us-13111
GuidePoint Security