Bleedingbit is a set of two new zero-day vulnerabilities which have the potential to expose enterprise firms to remote code execution attacks worldwide.
On Thursday, researchers from enterprise security firm Armis revealed the bugs, which together impact Bluetooth Low-Energy (BLE) chips used in millions of Cisco, Meraki, and Aruba wireless access points (APs).
Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of Cisco, Meraki and Aruba products.
"Because businesses rely on them for mission-critical communications, a compromise at this level can give attackers deep access into enterprise networks," Armis says.
It is not known at this time how many devices are immediately impacted by Bleedingbit, however, Armis told ZDNet that initial figures estimate that "millions" of devices are affected, and "this number is expected to rise."
The BLE protocol, also sometimes known as Bluetooth Smart, is based on the standard Bluetooth communications protocol but has been tailored for Internet of Things (IoT) devices.
BLE is not only used for connecting IoT devices over low-power networks. The protocol is also used for access point networking, smart home locks, phone as-a-key connected systems, tracking systems, and medical devices such as insulin pumps and pacemakers.
While BLE is useful for cross-platform support between IoT and mobile devices running a range of operating systems, Armis says the new standard has opened devices up to a "new range of chip-based vulnerabilities, endangering the integrity of the networks they serve."
The first vulnerability, CVE-2018-16986, impacts Cisco and Meraki APs using TI BLE chips.
Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory.
If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code.
"In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation," Armis says. "Furthermore, the attacker can use the device in his control to spread laterally to any other device in its vicinity, launching a truly airborne attack."
The TI chip versions below are vulnerable when scanning is used in either an observer role or central role:
- CC2640 (non-R2) with BLE-STACK version 2.2.1 or earlier; or
- CC2650 with BLE-STACK version 2.2.1 or earlier; or
- CC2640R2 with BLE-STACK version 1.0 or earlier
Affected access points:
- Cisco 1800i Aironet Access Points
- Cisco 1810 Aironet Access Points
- Cisco 1815i Aironet Access Points
- Cisco 1815m Aironet Access Points
- Cisco 1815w Aironet Access Points
- Cisco 4800 Aironet Access Points
- Cisco 1540 Aironet Series Outdoor Access Point
- Meraki MR30H AP
- Meraki MR33 AP
- Meraki MR42E AP
- Meraki MR53E AP
- Meraki MR74
The second vulnerability, CVE-2018-7080, is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems.
The vulnerability is technically a leftover development backdoor tool.
This oversight, the failure to remove such a powerful development tool, could permit attackers to compromise the system by gaining a foothold into a vulnerable access point.
"It allows an attacker to access and install a completely new and different version of the firmware -- effectively rewriting the operating system of the device," the company says. "The OAD feature doesn't offer a security mechanism that differentiates a "good" or trusted firmware update from a potentially malicious update."
The vulnerability affects any of the following TI BLE chips provided the vendor included the OAD feature in devices:
Together, both vulnerabilities can give threat actors almost unlimited opportunities to wreak havoc inside an enterprise system -- including device hijacking, tampering with operating systems, executing malware payloads, reading network traffic, and moving laterally between network segments.
According to Armis, attacks utilizing Bleedingbit cannot be detected by traditional antivirus solutions.
"Bleedingbit is a wakeup call to enterprise security for two reasons," said Armis CEO Yevgeny Dibrov. "First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can destroy network segmentation -- the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device."
Armis contacted Texas Instruments with its findings on 20 June. TI had already recognized the problem but only as a stability issue, rather than one with security ramifications. The companies then worked together to develop a patch once the full potential of the bug was realized.
Aruba was informed on July 9 and Cisco was notified on July 24.
Cisco, Meraki, and Aruba have prepared patches to resolve Bleedingbit. IT administrators should accept the security updates as soon as they become available in order to keep enterprise networks safe from exploit.
Cisco products recieved patches prior to the public disclosure of Bleedingbit.
Manufacturers using the vulnerable TI chips should upgrade to the latest BLE-STACK (v2.2.2) which eradicates vulnerability to Bleedingbit.
Armis recommends that OAD functionality is disabled in live production environments to protect against the second vulnerability.
The full scale of the catastrophic bugs is yet unknown. Armis is also working with the CERT Coordination Center (CERT/CC) and other vendors to ascertain the true extent of the Bleedingbit vulnerabilities and their potential reach into other types of devices and equipment.
"In this instance, we have clearly identified how Bleedingbit impacts network devices," said Ben Seri, VP of Research at Armis. "But this exposure goes beyond access points as these chips are used in many other types of devices and equipment."
"They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more," the executive added. "As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it."
Armis plans to release a full technical white paper describing the vulnerabilities at the Black Hat Europe conference, which is due to take place in the first week of December.
The Bleedingbit findings build on Armis research in 2017 which revealed Bluebourne, a set of nine exploitable Bluetooth vulnerabilities which impacted most modern devices that used the communication protocol.
Bluebourne permits account hijacking and data theft in the worst cases, and in the same manner as Bleedingbit, cannot be stopped through traditional antivirus solutions.
The vulnerabilities impact Google's Android, Windows, Linux, and Apple iOS before iOS version 10.
At the time of discovery, it was estimated that 5.3 billion devices were vulnerable to the Bluetooth-based bugs. In September, Armis said that over two billion devices remain exposed and unpatched.
Update 16.35 GMT: A Cisco spokesperson told ZDNet:
"Cisco is aware of the third-party software vulnerability in the Bluetooth Low Energy (BLE) Stack on select chips that affects multiple vendors. When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks.
Cisco has identified a limited number of Aironet and Meraki Access Points which, under certain conditions, may be vulnerable to this issue.
Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention. Fixed software is available for all affected Cisco products. Cisco is not aware of any malicious use of the vulnerability."