Hexbyte – Tech News – Ars Technica | Bluetooth bugs bite millions of Wi-Fi APs from Cisco, Meraki, and Aruba

Hexbyte – Tech News – Ars Technica |


Exploits aren’t likely to come your way any time soon… but patch anyway.

Hexbyte - Tech News - Ars Technica | A Cisco Aironet access point.
Enlarge /

A Cisco Aironet access point.

Millions of Wi-Fi access points sold by Cisco, Meraki, and Aruba have two critical vulnerabilities being patched that could allow hackers to run malware inside the sensitive networks that use the gear. While the flaws open corporate networks to some scary attacks, the real-world likelihood of them being exploited is debatable.

In a report published Thursday, security firm Armis said two flaws it found in Bluetooth Low Energy chips manufactured by Texas Instruments can be used to hack the APs that embed them. The BLE chips offer a variety of enhancements to traditional Wi-Fi APs. Retailers, for instance, can use them to monitor customer movements inside stores by monitoring the Bluetooth beacons sent by the customers’ phones. Hospitals can use BLE to keep track of Bluetooth-enabled medical equipment. Cisco (which also makes Meraki gear) and Aruba have both issued patches that users of affected gear should install as soon as possible.

Unfortunately, hackers can also make use of the vulnerable BLE chips to take control of the APs. Attackers armed with small Bluetooth-enabled devices need only two minutes to transmit exploits that install malicious firmware on the vulnerable chips. From there, the malware could install AP firmware that monitors communications, infects end users, or spreads to other parts of a corporate network.

Hexbyte – Tech News – Ars Technica | Complete access, no authentication required

“Both of the vulnerabilities allow an attacker completely unauthenticated to be able to take over first the BLE chip,” Armis CTO and cofounder Nadir Izrael told Ars, “but secondly, because of the BLE chip’s position within the software stack and firmware, it allows privileged access to the access point itself.” With the ability to control the AP, attackers can gain access to some of the most privileged parts of a company’s network.

The vulnerability affecting Cisco and Meraki gear is a combination of heap overflow and overflow over static variables, either of which can be used to corrupt chip memory and execute malicious code. The attacks require that BLE be turned on and device scanning changed to be enabled. (By default, scanning is turned off on all vulnerable devices, while BLE is turned off on some but not all of them.) With BLE on and scanning enabled, attacks transmitted by BLE devices within radio range are reliable because the embedded chips provide no exploit mitigations.

Armis Head of Research Ben Seri said a slightly customized attack code is needed for APs running different TI firmware versions. But he also said that it wouldn’t be hard to create a weaponized exploit that combined all the vulnerabilities and automatically used whichever one was needed to exploit a particular vulnerable device. The exploit works by sending benign BLE messages (called advertising packets) that get stored in the memory of the vulnerable chip. Embedded inside the packets is code that’s not detected by traditional security scanning products and gets invoked by the attacker later.

The attacker then triggers the overflow by sending a standard advertising packet with one subtle change—a specific bit in the header is turned on instead of off. The on bit causes the chip to allot data in a larger chunk of memory than is needed. The mismatch causes the chip to leak parts of memory that the attacker can use to execute code sent in the advertising packets in the earlier stage. The attacker now has the ability to backdoor the chip and, from there, attack the main processor of the AP.

“Part of the power of this vulnerability is that it occurs when a BLE chip (as the one embedded in access points) is listening for advertising packets,” Seri wrote in an email. “So any AP that is in that state will be vulnerable to this attack. The attacker doesn’t need to target a specific AP. He can simply send out these malicious broadcast packets, and any vulnerable AP within range would be compromised (simultaneously).” The vulnerability is indexed as CVE-2018-16986.

The second vulnerability is known so far only to affect APs from Aruba. CVE-2018-7080 is the result of an over-the-air firmware download feature that TI built into its chips so device makers can more easily update firmware while developing their products. While the chipmaker never intended the feature to be included in production devices used by end users, Armis said, Aruba makes a password-protected version of the update feature available in the Aruba series 300 APs. The password used across all the devices is identical.

“Any attacker who acquired the password by sniffing a legitimate update or by reverse-engineering the device can force any vulnerable access point in the vicinity t

Read More