Armis Labs has identified two vulnerabilities in Texas Instruments’ Bluetooth Low Energy (BLE) chips that are used in wireless access points manufactured by Cisco, Meraki, and Aruba. The affected wireless access point are used by hundreds of thousands of businesses around the world.
Cisco, Meraki, and Aruba supply at least 70% of business wireless access points, which places all of those businesses at risk. It is not yet known exactly how many devices are vulnerable and have the BleedingBit vulnerabilities, although Armis Labs suspects millions of devices could be affected.
If the BleedingBit vulnerabilities are exploited, attackers would be able to take full control of the access points without any need for authentication. The access points could be disabled, data could be intercepted, malware installed, or the attackers could use the vulnerabilities to gain access to business networks served by the access points and access any device in the vicinity of the AP.
Two BleedingBit vulnerabilities have been discovered. CVE-2018-16986 allows memory corruption in the BLE stack, through which full control of the AP could be gained. To exploit the vulnerability, an attacker would need to be within range of the AP and BLE would need to be turned on. No knowledge of the device would be required and there are no other prerequisites to exploit the vulnerability.
An attacker would need to send specially crafted packets to the AP containing code which is run in the next stage of the attack. The second stage involves sending an overflow packet to trigger a critical memory overflow which allows the attacker to run the previously sent code.
The vulnerability has been confirmed to affect Cisco Aironet Access Points 1800i, 1810, 1815i, 1815m, 1815w, 4800 and the Cisco 1540 Aironet Series Outdoor Access Point. Meraki MR30H, MR33, MR42E, MR53E, and MR74 Access Points are also affected.
The second of the BleedingBit vulnerabilities – CVE-2018-7080 – is present in the over-the-air firmware download (OAD) feature of Texas instruments’ chips used in Aruba Series 300 Wi-Fi Access Points. The vulnerability is a development backdoor tool that has not been removed. If exploited, the vulnerability would allow a new and completely different version of firmware to be installed, allowing the attacker to gain full control of the device.
Armis Labs says that exploitation of the BleedingBit vulnerabilities would not be detected by standard AV solutions and would be unlikely to raise any red flags. The attacker could move laterally between network segments, intercept traffic, install malware, tamper with operating systems, and hijack a wide range of devices undetected.
Cisco has already patched its affected devices, and Meraki has published guidance on how users can make changes to BLE settings to prevent exploitation of the vulnerabilities. Exploitation of CVE-2018-7080 can be blocked by disabling OAD functionality. Texas Instruments has now corrected the flaw in BLE-STACK v2.2.2.