On November 1, 2018, researchers from Armis revealed two severe vulnerabilities known as Bleedingbit which could be used to carry out remote code execution attacks on enterprise firms worldwide.
The Bleedingbit vulnerabilities impact Bluetooth low-energy chips built by Texas Instruments (TI) and are used in millions of Cisco and Aruba wireless access points (AP).
Although the two bugs are distinctly different and target a range of models, both vulnerabilities allow an attacker to take over an AP and break into an enterprise network or jump over the virtual walls that separate networks. They are difficult to detect by traditional security measures and they are contagious by their nature, allowing the attack to spread to any device near the initial breach.
The Bleedingbit name is in reference to the first bug that flips the highest bit in a Bluetooth packet, causing its memory to overflow (i.e., bleed), which an attacker can then use to run malicious code on an affected firmware. The second flaw allows an attacker to install a malicious firmware version on Aruba’s devices because the software doesn’t properly check to see if it’s a trusted update or not.
Bleedingbit Vulnerabilities Overview
There are two vulnerabilities that impact the Bluetooth low-energy chips:
- CVE-2018-16986: This vulnerability impacts Cisco access points using TI BLE chips. A proximal attacker sends a crafted BLE broadcast message to trigger memory corruption in the chip’s BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor and remotely execute malicious code.
- CVE-2018-7080: This vulnerability is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems. The vulnerability is technically a leftover development backdoor tool that allows firmware updates. An attacker with access to a software image or to the AP hardware could recover the password needed to access the OAD feature. Being in proximity to the AP, an attacker can access the AP and install a malicious version of the firmware, effectively rewriting the operating system of the device.
Devices Affected by Bleedingbit
Vulnerability CVE-2018-16986 affects the following Cisco access points:
- Cisco 1800i Aironet Access Points
- Cisco 1810 Aironet Access Points
- Cisco 1815i Aironet Access Points
- Cisco 1815w Aironet Access Points
- Cisco 4800 Aironet Access Points
- Cisco 1540 Aironet Series Outdoor Access Point
- Meraki MR30H AP
- Meraki MR33 AP
- Meraki MR42E AP
- Meraki MR53E AP
- Meraki MR74 AP
Vulnerability CVE-2018-7080 affects the following Aruba devices:
- AP-3xx and IAP-3xx series access points
- ArubaOS 6.4.4.x prior to 18.104.22.168
- ArubaOS 6.5.3.x prior to 22.214.171.124
- ArubaOS 6.5.4.x prior to 126.96.36.199
- ArubaOS 8.2.x prior to 188.8.131.52
- ArubaOS 8.3.x prior to 184.108.40.206
Cisco has released fixes for Bleedingbit: for Aironet AP version 220.127.116.11 is available, and fo Meraki AP version MR 25.13 is also available.
Aruba has also released upgrades to address the vulnerability:
- 18.104.22.168 for ArubaOS 6.4.4.x
- 22.214.171.124 for ArubaOS 6.5.3.x
- 126.96.36.199 for ArubaOS 6.5.4.x
- 188.8.131.52 for ArubaOS 8.2.x
- 184.108.40.206 for ArubaOS 8.3.x
It’s recommended to upgrade to one of these versions or a later one.
MikroTik Routers Infected in Mass-Scale Coinhive Cryptojacking Campaign: More than 200,000 MikroTik routers have been infected worldwide, an upgrade to the firmware is available
Spectre Reemerges With Two New Variants: The Intel chip-level flaw is back with two new variants, Spectre 1.1 and 1.2, with some patches available