Friday, November 1, 2024
HomeBackdoorBLEEDINGBIT - Two Bluetooth Chip-level Vulnerabilities Affected Millions of Enterprise Wi-Fi Access...

BLEEDINGBIT – Two Bluetooth Chip-level Vulnerabilities Affected Millions of Enterprise Wi-Fi Access Point Devices

Published on

Malware protection

Researcher’s discovered 2 critical Bluetooth vulnerabilities in BLE (Bluetooth Low Energy)  is named as ” BLEEDINGBIT ” affected millions of BLE embedded devices that allows an attacker to access enterprise network without authentication.

These serious vulnerabilities existing in the BLE which is made by Texas Instruments (TI) that embedded in access points to provide Wi-Fi to enterprise networks.

It was discovered in network devices that manufactured by Cisco, Meraki, and Aruba which is used in almost 70% of worldwide computer networks.

- Advertisement - SIEM as a Service

The Critical flaw gives very sensitive access to attackers who can able to breaking network segmentation once they take over the Wi-Fi access point.

Apart from the network devices that using BLE chips, it also affected IoT devices, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts, the point of sales devices, smart locks, hotel chain, cars where BLE Chip establish established Bluetooth protocol.

These vulnerabilities introduce the new attack surface to network devices, such as access points which distribute Wi-Fi on an enterprise scale.

Both vulnerabilities that related to BLE chips are Remote code execution vulnerabilities existing in TI chip that embedded in many devices.

These Vulnerable BIE Chips responsible for wireless communication, they can be exploited remotely, via the air and it allows an attacker to penetrate the vulnerable network.

How Do BLEEDINGBIT  Vulnerabilities works

Both vulnerabilities are working in different ways and both are mainly focusing on access point of the affected devices.

BLEEDINGBIT RCE Vulnerability (CVE-2018-16986)

Initially attackers exploit this vulnerability on nearby affected devices in order to turn on the BLE without any prior knowledge about the devices.

Later they send  BLE broadcast messages(advertising packets) that will be stored in the memory of the vulnerable BLE chip in a targeted device which is remain undetected by the security software.

Attackers keep sending the overflow packets that causes the chip to allocate the much larger space to triggering an overflow of critical memory in the process.

This process leaks the memory pointer which leads an attack to leverage the code sent to the vulnerable chip in the previous stage of the attack.

Finally, an attacker can be able to run malicious code on the targeted system and install a backdoor on the vulnerable chip.

CVE-2018-16986 – Affected Device
Cisco 1540 Aironet Series Outdoor Access PointsCSCvk441638.8.100.0
Cisco 1800i Aironet Access PointsCSCvk441638.8.100.0
Cisco 1810 Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815i Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815m Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815w Aironet Access PointsCSCvk441638.8.100.0
Cisco 4800 Aironet Access PointsCSCvk441638.8.100.0
Meraki MR30H APN/AMR 25.13 and later
Meraki MR33 APN/AMR 25.13 and later
Meraki MR42E APN/AMR 25.13 and later
Meraki MR53E APN/AMR 25.13 and later
Meraki MR74N/AMR 25.13 and later
BLEEDINGBIT OAD RCE Vulnerability (CVE-2018-7080)

Second Vulnerability mainly affected the Aruba Access Point Series 300 that helps to use the OAD future in TI.

According to armis research, This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware .

“However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code”

CVE-2018-7080 -Affected Device
  • cc2642r
  • cc2640r2
  • cc2640
  • cc2650
  • cc2540
  • cc2541

You can find security advisory for the affected device fixes released by the Vendors Cisco & Aruba.

Also Read:

Critical BlueBorne Vulnerability Puts More Than 5 Billion Bluetooth Enabled Devices Under Attack

Critical BlueBorne Vulnerability Impacts Around 20 Million Google Home and Amazon Echo Devices

2 Billion Bluetooth Devices are Still Vulnerable to Dangerous BlueBorne Attack After 1 Year

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...