Two zero-day vulnerabilities expose millions of access points

Share this…

The flaw, known as BleedingBit, affects wireless networks used in a large percentage of companies worldwide

Two zero-day vulnerabilities present in the low-energy Bluetooth chips manufactured by Texas Instruments (and used in millions of wireless access points) expose corporate networks where they are used to silent and dangerous attacks, as reported by digital forensics specialists from the International Institute of Cyber Security.

According to reports, attackers could exploit vulnerabilities simply by approaching a sufficient distance (between 100 and 300 feet away from vulnerable devices). A compromised access point could allow an attacker to take control of it, capture all traffic, and then use the compromised device as an access path for further internal attacks.

The vulnerability affects Hewlett-Packard’s Aruba Enterprise and Cisco’s Meraki WiFi access points, which represent a large percentage of the hardware used in corporations, according to researchers from a cybersecurity and digital forensics firm. The two flaws were discovered at the beginning of the year and publicly disclosed in recent days.

“An unauthenticated user can deploy devastating attacks on enterprise networks without being detected from a location near vulnerable devices, such as the company lobby, for example”, said Ben Seri, one of the digital forensics specialists in charge of the investigation.

Texas Instruments released the update patches for the vulnerable hardware last Thursday. It is expected that Cisco launches patches for three wireless access points from the Aironet series (1542 AP, 1815 AP, 4800 ap), along with patches for their Cisco Meraki series access points (MR33, MR30H, MR74, MR53E), in  upcoming days. On the other hand, updating patches for the access points Aruba 3xx and IAP-3xx t have already been launched.

About vulnerabilities

The first vulnerability (CVE-2018-16986) is linked to the Texas Instrument cc2640/50 chips used in Cisco and Cisco Meraki access points. This vulnerability is a remote code execution flaw on the BLE chip and can be exploited by an attacker from a nearby location.

“First, the attacker sends multiple benign streaming messages, known as ‘advertising packages’, which will be stored in the vulnerable chip’s memory on the selected device”, the experts mentioned. “Next, the attacker sends the overflow package, which is a slightly modified standard advertising package: a specific bit in its heading on instead of off. This bit causes the chip to allocate package information to a much larger space than it really needs, triggering a memory overflow”.

The filtered memory is exploited by the attackers to ease the execution of malicious code on the chip. A backdoor is opened and the attacker can use it to control the chip wirelessly. From there, hackers can manipulate the main processor of the wireless access point and control it locally and then remotely.

“The use of Texas Instrument chips is so common that an attacker could enter the lobby of any company, search for the available WiFi networks and start the attack”, said Nadir Izrael, an expert in cybersecurity and digital forensics.

The second vulnerability (CVE-2018-7080) was discovered in the Texas Instrument air firmware download feature used in the Aruba WiFi Access Point Series 300 that also uses the chip BLE.

“This vulnerability is technically a backdoor on the BLE chips that was designed as a development tool, but is active at these access points” according to the experts. “It allows an attacker to access and install a completely new and different version of the firmware, rewriting the operating system of the device”.