[SingCERT] Technical Advisory on Vulnerabilities in Bluetooth Low Energy Chips by Texas Instruments (CVE-2018-16986 and CVE-2018-7080)

Published on 05 Nov 2018

Updated on 23 Oct 2019

Background

Security researchers have discovered two vulnerabilities dubbed “BLEEDINGBIT” in the Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI).

CVE-2018-16986 is a buffer overflow vulnerability that occurs when processing malformed BLE frames, causing memory corruption. This vulnerability can be exploited if the attacker is within the Bluetooth range from the targeted devices with both the BLE feature and scanning mode enabled.

CVE-2018-7080 is a vulnerability that exists when the Over-the-Air firmware download (OAD) feature is not properly configured to address secure firmware updates.

Affected Products

These vulnerable chips are found in certain access points that deliver Wi-Fi services to enterprise networks manufactured by Cisco, Meraki and Aruba.

CVE-2018-16986 is present in the following BLE chips by TI :
  • CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier version; or
  • CC2650 with BLE-STACK version 2.2.1 or an earlier version; or
  • CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0); or
  • CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or an earlier version.
Affected access points:
  • Cisco 1800i, 1810, 1815i, 1815m, 1815w, 4800 Aironet
  • Cisco 1540 Aironet Series Outdoor
  • Meraki MR30H, MR33, MR42E, MR53E,MR74
CVE-2018-7080 is present in the following BLE chips by TI :
  • CC2642R, CC2640R2, CC2640, CC2650, CC2540, CC2541
Affected Aruba access points:
  • AP-3xx and IAP-3xx series access points
  • AP-203R
  • AP-203RP
  • ArubaOS 6.4.4.x prior to 6.4.4.20
  • ArubaOS 6.5.3.x prior to 6.5.3.9
  • ArubaOS 6.5.4.x prior to 6.5.4.9
  • ArubaOS 8.x prior to 8.2.2.2
  • ArubaOS 8.3.x prior to 8.3.0.4
Impact

Successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform remote code execution and take control of the affected devices to perform malicious activities, including unauthorised installation of programs, interception of network traffic, and access to other devices on the network.

Recommendations

System administrators using the affected products are advised to upgrade to the latest version as soon as possible:

  • Cisco
  • Aruba
  • Meraki
    • Guide on how to disable Meraki's BLE feature can be found here
    • Look out for the security patches issued by Meraki to address the vulnerability.
References

https://armis.com/bleedingbit/

https://www.bleepingcomputer.com/news/security/new-bleedingbit-vulnerabilities-affect-widely-used-bluetooth-chips/