Thursday, March 28, 2024

BLEEDINGBIT – Two Bluetooth Chip-level Vulnerabilities Affected Millions of Enterprise Wi-Fi Access Point Devices

Researcher’s discovered 2 critical Bluetooth vulnerabilities in BLE (Bluetooth Low Energy)  is named as ” BLEEDINGBIT ” affected millions of BLE embedded devices that allows an attacker to access enterprise network without authentication.

These serious vulnerabilities existing in the BLE which is made by Texas Instruments (TI) that embedded in access points to provide Wi-Fi to enterprise networks.

It was discovered in network devices that manufactured by Cisco, Meraki, and Aruba which is used in almost 70% of worldwide computer networks.

The Critical flaw gives very sensitive access to attackers who can able to breaking network segmentation once they take over the Wi-Fi access point.

Apart from the network devices that using BLE chips, it also affected IoT devices, medical centers use BLE to track the location of beacons on valuable assets like resuscitation carts, the point of sales devices, smart locks, hotel chain, cars where BLE Chip establish established Bluetooth protocol.

These vulnerabilities introduce the new attack surface to network devices, such as access points which distribute Wi-Fi on an enterprise scale.

Both vulnerabilities that related to BLE chips are Remote code execution vulnerabilities existing in TI chip that embedded in many devices.

These Vulnerable BIE Chips responsible for wireless communication, they can be exploited remotely, via the air and it allows an attacker to penetrate the vulnerable network.

How Do BLEEDINGBIT  Vulnerabilities works

Both vulnerabilities are working in different ways and both are mainly focusing on access point of the affected devices.

BLEEDINGBIT RCE Vulnerability (CVE-2018-16986)

Initially attackers exploit this vulnerability on nearby affected devices in order to turn on the BLE without any prior knowledge about the devices.

Later they send  BLE broadcast messages(advertising packets) that will be stored in the memory of the vulnerable BLE chip in a targeted device which is remain undetected by the security software.

Attackers keep sending the overflow packets that causes the chip to allocate the much larger space to triggering an overflow of critical memory in the process.

This process leaks the memory pointer which leads an attack to leverage the code sent to the vulnerable chip in the previous stage of the attack.

Finally, an attacker can be able to run malicious code on the targeted system and install a backdoor on the vulnerable chip.

CVE-2018-16986 – Affected Device
Cisco 1540 Aironet Series Outdoor Access PointsCSCvk441638.8.100.0
Cisco 1800i Aironet Access PointsCSCvk441638.8.100.0
Cisco 1810 Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815i Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815m Aironet Access PointsCSCvk441638.8.100.0
Cisco 1815w Aironet Access PointsCSCvk441638.8.100.0
Cisco 4800 Aironet Access PointsCSCvk441638.8.100.0
Meraki MR30H APN/AMR 25.13 and later
Meraki MR33 APN/AMR 25.13 and later
Meraki MR42E APN/AMR 25.13 and later
Meraki MR53E APN/AMR 25.13 and later
Meraki MR74N/AMR 25.13 and later
BLEEDINGBIT OAD RCE Vulnerability (CVE-2018-7080)

Second Vulnerability mainly affected the Aruba Access Point Series 300 that helps to use the OAD future in TI.

According to armis research, This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware .

“However, an attacker who acquired the password by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point and upload a malicious firmware containing the attacker’s own code”

CVE-2018-7080 -Affected Device
  • cc2642r
  • cc2640r2
  • cc2640
  • cc2650
  • cc2540
  • cc2541

You can find security advisory for the affected device fixes released by the Vendors Cisco & Aruba.

Also Read:

Critical BlueBorne Vulnerability Puts More Than 5 Billion Bluetooth Enabled Devices Under Attack

Critical BlueBorne Vulnerability Impacts Around 20 Million Google Home and Amazon Echo Devices

2 Billion Bluetooth Devices are Still Vulnerable to Dangerous BlueBorne Attack After 1 Year

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles