Friday, April 12, 2024

BLEEDINGBIT – Two Bluetooth Chip-level Vulnerabilities Affected Millions of Enterprise Wi-Fi Access Point Devices

Researcher’s discovered 2 critical Bluetooth vulnerabilities in BLE (Bluetooth Low Energy)  is named as ” BLEEDINGBIT ” affected millions of BLE embedded devices that allows an attacker to access enterprise network without authentication.

These serious vulnerabilities existing in the BLE which is made by Texas Instruments (TI) that embedded in access points to provide Wi-Fi to enterprise networks.

It was discovered in network devices that manufactured by Cisco, Meraki, and Aruba which is used in almost 70% of worldwide computer networks.

The Critical flaw gives very sensitive access to attackers who can able to breaking network segmentation once they take over the Wi-Fi access point.

Apart from the network devices that using BLE chips, it also affected IoT devices, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts, the point of sales devices, smart locks, hotel chain, cars where BLE Chip establish established Bluetooth protocol.

These vulnerabilities introduce the new attack surface to network devices, such as access points which distribute Wi-Fi on an enterprise scale.

Both vulnerabilities that related to BLE chips are Remote code execution vulnerabilities existing in TI chip that embedded in many devices.

These Vulnerable BIE Chips responsible for wireless communication, they can be exploited remotely, via the air and it allows an attacker to penetrate the vulnerable network.

How Do BLEEDINGBIT  Vulnerabilities works

Both vulnerabilities are working in different ways and both are mainly focusing on access point of the affected devices.

BLEEDINGBIT RCE Vulnerability (CVE-2018-16986)

Initially attackers exploit this vulnerability on nearby affected devices in order to turn on the BLE without any prior knowledge about the devices.

Later they send  BLE broadcast messages(advertising packets) that will be stored in the memory of the vulnerable BLE chip in a targeted device which is remain undetected by the security software.

Attackers keep sending the overflow packets that causes the chip to allocate the much larger space to triggering an overflow of critical memory in the process.

This process leaks the memory pointer which leads an attack to leverage the code sent to the vulnerable chip in the previous stage of the attack.

Finally, an attacker can be able to run malicious code on the targeted system and install a backdoor on the vulnerable chip.

CVE-2018-16986 – Affected Device
Cisco 1540 Aironet Series Outdoor Access PointsCSCvk441638.8.100.0
Cisco 1800i Aironet Access PointsCSCvk441638.8.100.0
Cisco 1810 Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815i Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815m Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815w Aironet Access PointsCSCvk441638.8.100.0
Cisco 4800 Aironet Access PointsCSCvk441638.8.100.0
Meraki MR30H APN/AMR 25.13 and later
Meraki MR33 APN/AMR 25.13 and later
Meraki MR42E APN/AMR 25.13 and later
Meraki MR53E APN/AMR 25.13 and later
Meraki MR74N/AMR 25.13 and later
BLEEDINGBIT OAD RCE Vulnerability (CVE-2018-7080)

Second Vulnerability mainly affected the Aruba Access Point Series 300 that helps to use the OAD future in TI.

According to armis research, This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware .

“However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code”

CVE-2018-7080 -Affected Device
  • cc2642r
  • cc2640r2
  • cc2640
  • cc2650
  • cc2540
  • cc2541

You can find security advisory for the affected device fixes released by the Vendors Cisco & Aruba.

Also Read:

Critical BlueBorne Vulnerability Puts More Than 5 Billion Bluetooth Enabled Devices Under Attack

Critical BlueBorne Vulnerability Impacts Around 20 Million Google Home and Amazon Echo Devices

2 Billion Bluetooth Devices are Still Vulnerable to Dangerous BlueBorne Attack After 1 Year


Latest articles

6-year-old Lighttpd Flaw Impacts Intel And Lenovo Servers

The software supply chain is filled with various challenges, such as untracked security vulnerabilities...

Hackers Employ Deepfake Technology To Impersonate as LastPass CEO

A LastPass employee recently became the target of an attempted fraud involving sophisticated audio...

Sisence Data Breach, CISA Urges To Reset Login Credentials

In response to a recent data breach at Sisense, a provider of data analytics...

DuckDuckGo Launches Privacy Pro: 3-in-1 service With VPN

DuckDuckGo has launched Privacy Pro, a new subscription service that promises to enhance user...

Cyber Attack Surge by 28%:Education Sector at High Risk

In Q1 2024, Check Point Research (CPR) witnessed a notable increase in the average...

Midnight Blizzard’s Microsoft Corporate Email Hack Threatens Federal Agencies: CISA Warns

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive concerning a...

Taxi App Vendor Data Leak: 300K Passengers Data Exposed

Around 300,000 taxi passengers' personal information was left exposed on the internet, causing concern...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Top 3 SME Attack Vectors

Securing the Top 3 SME Attack Vectors

Cybercriminals are laying siege to small-to-medium enterprises (SMEs) across sectors. 73% of SMEs know they were breached in 2023. The real rate could be closer to 100%.

  • Stolen credentials
  • Phishing
  • Exploitation of vulnerabilities

Related Articles