Security researchers have discovered two critical vulnerabilities dubbed BleedingBit in the Bluetooth chips found in access points and networking devices used by major enterprises.
The vulnerabilities was discovered in the Bluetooth Low Energy (BLE) chips designed by Texas Instruments.
The vulnerabilities could be exploited by remote attackers to take control of the vulnerable device without authentication.
The flaws were discovered security researchers at security firm Armis and affected chips are used by major enterprisis such as Cisco, Meraki and Aruba.
“The chips are embedded in, among other devices, certain access points that deliver Wi-Fi to enterprise networks manufactured by Cisco, Meraki and Aruba. These are the leaders in networking, and accounting for nearly 70% of the market. Armis research focused on these network devices”.
The first BleedingBit flaw tracked as CVE-2018-16986 is remote code execution vulnerability resides in a TI chip embedded in many devices.
The flaw can be exploited by attackers if they are in the range of the targeted device and BLE is turned on.
First, the attacker sends advertising packets which will be stored on the memory of the vulnerable BLE chip in the targeted device.
In the next attacker sends an overflow packet in the form of an altered advertising packet which has a specific bit in its header turned ON instead of off which will trigger the memory overflow and execution of code.
The attacker could use this flaw to install a backdoor on the chip and gain full control over the device.
The second BleedingBit flaw tracker as CVE-2018-7080 is backdoor in BLE chips which was designed to allow firmware updates. The flaw affects device using chips which has the over-the-air firmware download (OAD) feature enabled on it. The flaw affects Aruba’s Wi-Fi access point Series 300.
All Aruba access point shares the same OAD passwords which can be obtained either by sniffing a legitimate update or by reverse-engineering Aruba’s BLE firmware.
“The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the BLE chip, if not implemented correctly by the manufacturer.” said in the post published by Researchers.
Researchers said they have notified all vendors about the flaw. Texas Instruments has addressed the flaw in BLE-STACK version 2.2.2 . Cisco and Aruba has also published security advisory regarding the vulnerabilities.
For more details regarding the flaws and affected products, you can visit report published by Armis researchers here.
You may be interested in reading:Cathay Pacific Airline Announces Data Breach Affecting 9.4 million Passengers