A set of vulnerabilities named “BleedingBit” allow remote attackers to exploit Bluetooth Low Energy (BLE) chips created by Texas Instruments are being utilized in millions of access points and networking devices by enterprises across the globe.
Security researchers discovered that the attackers can execute arbitrary code, which allows them full control of the devices while bypassing authentication.
The first vulnerability is identified as CVE-2018-16986 and exists in TI chips CC2640 and CC2650. These can be found in many of Cisco and Meraki’s Access Points. They are susceptible to a buffer overflow attack by sending more traffic to the BLE trip that it can handle. This causes memory corruption allowing the attacker to run the malicious code.
The second vulnerability is identified as CVE-2018-7080 and can be found in TI chips CC2642R2, CC2640R2, CC2640, CC2650, CC2540, CC2541. These are found in Aruba’s WiFi AP Series 300. Attackers can exploit the Over-the-Air firmware download (OAD) by sniffing a legitimate update or by reverse engineering Aruba’s firmware. Aruba’s access points share the same OAD password allowing attackers to deliver malicious updates and taking over the device.
All vulnerabilities were responsibly reported to the affected vendors in June of 2018. Texas Instruments acknowledged the vulnerabilities and released security patches through the respective OEMs. Cisco, who also owns Meraki, released updates on Thursday to address CVE-2018-16986 and Aruba also released a security patch for their Aruba 3xx and IAP-3xx series for CVE-2018-7080.
Both vendors expressed that Bluetooth is disabled by default on their devices and as of writing, no attacks using this zero-day have been reported in the wild.