This is a cache of https://it.slashdot.org/story/18/11/01/2230228/bleedingbit-zero-day-chip-flaws-may-expose-majority-of-enterprises-to-remote-code-execution-attacks. It is a snapshot of the page at 2018-11-02T03:39:37.190+0000.
Bleedingbit Zero-Day Chip Flaws May Expose Majority of Enterprises To Remote Code Execution Attacks - Slashdot

Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy

Bleedingbit Zero-Day Chip Flaws May Expose Majority of Enterprises To Remote Code Execution Attacks (zdnet.com) 25

Two new zero-day vulnerabilities called "Bleeding Bit" have been revealed by security firm Armis, impacting Bluetooth Low-Energy (BLE) chips used in millions of cisco, Meraki, and Aruba wireless access points (APs). "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of cisco, Meraki and Aruba products," reports ZDNet. From the report: The first vulnerability, CVE-2018-16986, impacts cisco and Meraki APs using TI BLE chips. Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory. If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code.

The second vulnerability, CVE-2018-7080, is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems. The vulnerability is technically a leftover development backdoor tool. This oversight, the failure to remove such a powerful development tool, could permit attackers to compromise the system by gaining a foothold into a vulnerable access point. "It allows an attacker to access and install a completely new and different version of the firmware -- effectively rewriting the operating system of the device," the company says. "The OAD feature doesn't offer a security mechanism that differentiates a "good" or trusted firmware update from a potentially malicious update."

Bleedingbit Zero-Day Chip Flaws May Expose Majority of Enterprises To Remote Code Execution Attacks

Comments Filter:
  • "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of cisco, Meraki and Aruba products," reports ZDNet.

    Of course, it's entirely likely you're not affected by the compromised chips.

    So you can take the reassuring route of "Clearly, that vulnerability clearly affects folks other than me, so I'm righteously Dunning-Kruger in my examination of the evidence that might suggest I'm super, duper, special.

    • by JBMcB ( 73720 )

      Of course, it's entirely likely you're not affected by the compromised chips.

      So you can take the reassuring route of "Clearly, that vulnerability clearly affects folks other than me, so I'm righteously Dunning-Kruger in my examination of the evidence that might suggest I'm super, duper, special.

      The corollary to that is: "zOMG ZERO DAY IN YOUR ROUTERS!!! IT COULD BE YOU!!! CLICK HERE FOR MORE INFOS!!!!"

      Meanwhile it's a vulnerability in some brain-dead feature nobody uses and you have to be standing next to the router to exploit it. My personal favorites are the exploits that require physical access to the machine to plug something in.

      • by sjames ( 1099 )

        The difference between physical access and nearby is huge. The former offers a much greater risk of being caught red-handed. The latter is nearly impossible to prove.

        Meanwhile, a good antenna can increase the range a fair amount.

  • Not allowing the owners of the chips to load custom firmware onto the chips is an atrocious practice. That would be the equivalent of maintaining hidden root access on a system that doesn't belong to you and relegating the legitimate owner to a shadow fake root. If you're going to require signed firmware images on a piece of kit then you need to include the private key to sign new firmware to anyone with with your chip in their equipment.
    • Except one of these vulnerabilities is exactly what you're complaining about.
      The ability to allow any code to be uploaded was accidentally left enabled, allowing anyone within radio range to load any code they wish.

    • by sjames ( 1099 )

      Reflashing should require setting a physical jumper.

      • So to upgrade the firmware in these enterprise outdoor access points, they should send a guy on site up a pole, take the thing down, open it up, insert the jumper, upgrade the firmware, reassemble it and then reinstall it outside? For each of the hundred devices they have?
        Even the indoor AP's in my building would be a costly nightmare. There's 10 floors with at least 6 AP's on the roof of each floor.

May Euell Gibbons eat your only copy of the manual!

Working...