Rewterz Threat Advisory – CVE-2018-16986 & CVE-2018-7080 – New Bluetooth Vulnerabilities Exposed in Aruba, Cisco, Meraki Access Points

Wednesday, November 7, 2018

Two flaws in the Bluetooth Low Energy chips used in major Wi-Fi Access Points could give attackers control of the wireless network.

 

 

IMPACT:  CRITICAL

 

 

PUBLISH DATE:  07-11-2018

 

 

OVERVIEW

 

 

Armis, an IoT security firm, has announced that a Remote Code Execution (RCE) or Denial of Service (DoS) vulnerability exists in the Bluetooth Low Energy (BLE) Stack on Texas Instruments (TI) chips CC2640 and CC2650. There are two vulnerabilities, existing due to a memory corruption condition that could occur when processing malformed BLE frames.

 

 

An attacker could exploit the vulnerability when he’s in close proximity to an affected device which is actively scanning. This could happen by broadcasting malformed BLE frames. If the exploit is successful, the attacker could execute arbitrary code or cause denial of service condition in an affected device.

 

 

ANALYSIS

 

 

Bluetooth Low Energy (BLE) chips made by Texas instruments contain vulnerabilities that could give the control of the wireless network over to an attacker. It affects multiple Wi-Fi access points and other devices.

 

 

The BLE chips manufactured by Texas Instruments are used in a major portion of the WiFi Access point (AP) market, including the access points made by Aruba, Cisco and Meraki. About 70% of the total AP enterprise comprises of Wi-Fi access points made by these vendors.

 

 

Two vulnerabilities now called “BleedingBits” have been pinpointed in TI CC2640/50 and TI cc2540/1 chips.

 

 

In CVE-2018-16986, the field that stores “advertising packets” sent by devices for detection gets overflowed. These packets are sent by the devices in the AP’s area to let the AP know that the device is there.

 

 

“It’s supposed to be six bits, but these chips look at two additional bits that are supposed to be zero,” Ben Seri, the vice president of research at Armis says, “If an attacker sends a number of well-formed advertising packets containing code, and then a malformed packet with a “one” in either of those two extra bit places, it results in a stack overflow that could allow execution of all that earlier-delivered code.”

 

 

The second vulnerability, CVE-2018-7080, can only affect Aruba access points, however with the ability to drop larger payloads in single step. In Aruba, there’s an over-the-air download (OAD) feature through BLE as a tool to be used in the development process. If that feature is left active in a production system, an attacker can obtain the hard-coded password and consequently may use the feature to completely rewrite the Access Point’s operating system.

 

 

The BLE radio used in Aruba’s affected APs contains a password-protected functionality that allows for over-the-air firmware updates.  Unfortunately, an attacker with access to a software image (e.g. downloaded from the Aruba website), or with access to the AP hardware, could recover the password.  With access to the password, an attacker can push malicious firmware updates to the BLE radio wirelessly.

 

 

Since BLE does not pose as a potential threat or attack vector, cyber analysts are concerned that it’s a total blind spot from an organization’s viewpoint. Whereas in reality, this BLE chip occupies a location within the systems that could be exploited as a strong point of entrance for an attacker.

 

 

The fact that lots and lots of IoT devices like smart watches and insulin pumps utilize this BLE chip further brings a concern that many devices can be taken control of, if an attacker succeeds at exploiting the chip.

 

 

AFFECTED PRODUCTS

 

 

Cisco Access Points

Cisco Aironet Access Points first supported the BLE feature in software release 8.7, which means an Access Point is only vulnerable if running software release 8.7.102.0 or 8.7.106.0.

 

 

 

 

Aruba’s Access Points: (vulnerable only if the BLE radio is enabled)

 

  • AP-3xx and IAP-3xx series access points
  • AP-203R
  • AP-203RP
  • ArubaOS 6.4.4.x prior to 6.4.4.20
  • ArubaOS 6.5.3.x prior to 6.5.3.9
  • ArubaOS 6.5.4.x prior to 6.5.4.9
  • ArubaOS 8.x prior to 8.2.2.2
  • ArubaOS 8.3.x prior to 8.3.0.4
  • The AP207 is not affected, as it contains a different BLE implementation.

 

 

Other Aruba AP models not listed here do not contain a BLE radio and are not affected.

 

 

MITIGATION

 

 

For the mitigation of these vulnerabilities, BLE radio needs to be disabled to ensure that the BLE chip vulnerabilities do not affect your access points.

 

Here’s Meraki’s guidance on how to disable things.

 

https://documentation.meraki.com/MR/Bluetooth/Bluetooth_Low_Energy_(BLE)#Enable_Bluetooth_Scanning

 

Likewise, Cisco has released an advisory addressing the vulnerabilities.

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap

 

 

For Aruba products, update to following patched versions.

 

  • ArubaOS 6.4.4.20
  • ArubaOS 6.5.3.9
  • ArubaOS 6.5.4.9
  • ArubaOS 8.2.2.2
  • ArubaOS 8.3.0.4

 

 

If you think you’re the victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 15, November 2018 Rewterz Threat Advisory – Microsoft Windows Server 2008 and Windows 7 multiple vulnerabilities
  • 15, November 2018 Rewterz Threat Advisory – CVE-2018- 8416 – Microsoft .NET core security bypass vulnerability
  • 14, November 2018 Rewterz Threat Advisory – CVE-2018-8256 & CVE-2018-8415 – Windows PowerShell Multiple Vulnerabilities
  • 14, November 2018 Rewterz Threat Advisory – Microsoft Windows Server 2019 Multiple Vulnerabilities

Copyright © Rewterz. All rights reserved.