Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bleedingbit Zero-Day Chip Flaws May Expose Majority of Enterprises To Remote Code Execution Attacks (zdnet.com)

Posted by BeauHD on from the rendered-useless dept.

Two new zero-day vulnerabilities called "Bleeding Bit" have been revealed by security firm Armis, impacting Bluetooth Low-Energy (BLE) chips used in millions of Cisco, Meraki, and Aruba wireless access points (APs). "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of Cisco, Meraki and Aruba products," reports ZDNet. From the report: The first vulnerability, CVE-2018-16986, impacts Cisco and Meraki APs using TI BLE chips. Attacks can remotely send multiple benign BLE broadcast messages, called "advertising packets," which are stored on the memory of the vulnerable chip. As long as a target device's BLE is turned on, these packets -- which contain hidden malicious code to be invoked later on -- can be used together with an overflow packet to trigger an overflow of critical memory. If exploited, attackers are able to trigger memory corruption in the chip's BLE stack, creating a scenario in which the threat actor is able to access an operating system and hijack devices, create a backdoor, and remotely execute malicious code.

The second vulnerability, CVE-2018-7080, is present in the over-the-air firmware download (OAD) feature of TI chips used in Aruba Wi-Fi access point Series 300 systems. The vulnerability is technically a leftover development backdoor tool. This oversight, the failure to remove such a powerful development tool, could permit attackers to compromise the system by gaining a foothold into a vulnerable access point. "It allows an attacker to access and install a completely new and different version of the firmware -- effectively rewriting the operating system of the device," the company says. "The OAD feature doesn't offer a security mechanism that differentiates a "good" or trusted firmware update from a potentially malicious update."

55 comments

  1. I've seen other code from TI's SDKs by Anonymous Coward · · Score: 0

    It does not surprise me at all that their shit is broken.

    1. Re: I've seen other code from TI's SDKs by Anonymous Coward · · Score: 0

      I agree!! The TI DSP IDE and compiler are the worst code ever!

  2. Why does a wireless access point have bluetooth? by Anonymous Coward · · Score: 0

    Doesn't seem to make sense to me.

    On a laptop, phone or tablet, you probably want bluetooth and wifi.

    But "enterprise" wifi access points are normally wired in with a controller, and I don't see what the bluetooth would be used for.

    What am I missing?

  3. Re:Why does a wireless access point have bluetooth by viperidaenz · · Score: 2

    Obviously it's there to increase the attack area. Duh.

  4. Gosh, another breach that affects others by rmdingler · · Score: 0

    "Developed by Texas Instruments (TI), the vulnerable BLE chips are used by roughly 70 to 80 percent of business wireless access points today by way of Cisco, Meraki and Aruba products," reports ZDNet.

    Of course, it's entirely likely you're not affected by the compromised chips.

    So you can take the reassuring route of "Clearly, that vulnerability clearly affects folks other than me, so I'm righteously Dunning-Kruger in my examination of the evidence that might suggest I'm super, duper, special.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re: Gosh, another breach that affects others by Anonymous Coward · · Score: 0

      What the hell are you babbling about, fool?

    2. Re: Gosh, another breach that affects others by rmdingler · · Score: 1

      Sigh... I was rather foolishly attempting to communicate an interesting parable to the feeble... epic fail.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    3. Re: Gosh, another breach that affects others by Anonymous Coward · · Score: 0

      If by parable, you mean making yourself look like a retarded loony piece of trash, you succeeded wildly.

    4. Re:Gosh, another breach that affects others by JBMcB · · Score: 0

      Of course, it's entirely likely you're not affected by the compromised chips.

      So you can take the reassuring route of "Clearly, that vulnerability clearly affects folks other than me, so I'm righteously Dunning-Kruger in my examination of the evidence that might suggest I'm super, duper, special.

      The corollary to that is: "zOMG ZERO DAY IN YOUR ROUTERS!!! IT COULD BE YOU!!! CLICK HERE FOR MORE INFOS!!!!"

      Meanwhile it's a vulnerability in some brain-dead feature nobody uses and you have to be standing next to the router to exploit it. My personal favorites are the exploits that require physical access to the machine to plug something in.

      --
      My Other Computer Is A Data General Nova III.
    5. Re:Gosh, another breach that affects others by Anonymous Coward · · Score: 0

      Meanwhile it's a vulnerability in some brain-dead feature nobody uses and you have to be standing next to the router to exploit it. My personal favorites are the exploits that require physical access to the machine to plug something in.

      Clearly never been in a datacenter or near a server room eh? There is a reason guest access is usually escorted but nothing stops a bored NOC employee.

      Still trying to understand why in the FUCK do these devices have bluetooth.

    6. Re:Gosh, another breach that affects others by sjames · · Score: 2

      The difference between physical access and nearby is huge. The former offers a much greater risk of being caught red-handed. The latter is nearly impossible to prove.

      Meanwhile, a good antenna can increase the range a fair amount.

    7. Re:Gosh, another breach that affects others by Anonymous Coward · · Score: 0

      "Clearly never been in a datacenter or near a server room eh?"
      Gaining physical access to the largest and most important data centers is harder than gaining access to a nuclear silo.

      And the vast majority of security weaknesses require physical access to the computer or network you wish to exploit. If I have physical access to a computer or network I don't need to waste time writing exploits when I could use much easier methods.

    8. Re: Gosh, another breach that affects others by Anonymous Coward · · Score: 0

      Try again @rmdingler, sounds interesting

    9. Re: Gosh, another breach that affects others by Anonymous Coward · · Score: 0

      All you did was throw out some word salad to wank yourself over.
      That whole Dunning-Kruger thing you were prattling on about? How about you look in the mirror, dickface.
       

  5. LOL! by Anonymous Coward · · Score: 0

    Your search - butthoaljoe - did not match any documents.

    Suggestions:

    Make sure all words are spelled correctly.
    Try different keywords.
    Try more general keywords.

  6. Re: The Linux link by Anonymous Coward · · Score: 0

    No they don't, the chips run microcode.

  7. Re: The Linux link by Anonymous Coward · · Score: 0

    The OS doesn't matter, it's a hardware problem.

  8. Re:Why does a wireless access point have bluetooth by Opportunist · · Score: 1

    It's a checkbox in the bullshit-feature game.

    You know those checkboxes. From your local electronics big box mart. With every appliance, there's this sticker that has a lot of checkboxes next to the name of features. And some are checked and some are not, depending on whether the appliance has the feature or not. Which ones sell? The ones with features of course. If appliance A costs about as much as appliance B, how will the average person tell the difference? By counting ticked checkboxes, of course. Do they need those features? Hell no. In 9 out of 10 cases they don't even know what those features mean. But A has it and B doesn't, so A is better!

    Why do you think the average procurement manager works differently?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. The ability to load unsigned firmware images is no by edris90 · · Score: 2

    Not allowing the owners of the chips to load custom firmware onto the chips is an atrocious practice. That would be the equivalent of maintaining hidden root access on a system that doesn't belong to you and relegating the legitimate owner to a shadow fake root. If you're going to require signed firmware images on a piece of kit then you need to include the private key to sign new firmware to anyone with with your chip in their equipment.

  10. Re:Why does a wireless access point have bluetooth by viperidaenz · · Score: 1

    How many big box mart stores sell these enterprise Cisco, Aruba and Meraki access points?

  11. Re: The Linux link by viperidaenz · · Score: 1

    microcode is the code a cpu runs internally to implement its own instruction set.
    I highly doubt the cpu in these ble chips use microcode at all.

  12. Re:The ability to load unsigned firmware images is by viperidaenz · · Score: 2

    Except one of these vulnerabilities is exactly what you're complaining about.
    The ability to allow any code to be uploaded was accidentally left enabled, allowing anyone within radio range to load any code they wish.

  13. Re:The ability to load unsigned firmware images is by sjames · · Score: 2, Insightful

    Reflashing should require setting a physical jumper.

  14. Re: The Linux link by sjames · · Score: 1

    I don't think that word means what you think it means.

    In fact, the TI chips, like many other BLE chips is an ARM cortex SOC (cannot run Linux) running a light weight RTOS with a Bluetooth protocol stack and a suitable radio.

    In other words, they run ARM machine language.

  15. Re:Why does a wireless access point have bluetooth by Anonymous Coward · · Score: 0

    All of them. Linksys is owned by Cisco.

  16. Re:Why does a wireless access point have bluetooth by sjames · · Score: 1

    Enterprise vendors and the pointy hairs that sign the POs follow exactly the same pattern.

  17. Re:Why does a wireless access point have bluetooth by viperidaenz · · Score: 1

    In other words, you mean none of the products identified as having this issue.
    These aren't consumer marketed products. Just because Cisco has a consumer brand with a different set of products, doesn't mean their enterprise offerings are identical.

  18. Re:The ability to load unsigned firmware images is by viperidaenz · · Score: 2

    So to upgrade the firmware in these enterprise outdoor access points, they should send a guy on site up a pole, take the thing down, open it up, insert the jumper, upgrade the firmware, reassemble it and then reinstall it outside? For each of the hundred devices they have?
    Even the indoor AP's in my building would be a costly nightmare. There's 10 floors with at least 6 AP's on the roof of each floor.

  19. Re:The ability to load unsigned firmware images is by sjames · · Score: 1

    It's up to you, you can balance the risk/reward as you see fit.

    For example, you might prefer to change the bootloader so it will flash an image you signed without the jumper, but require the jumper to change the signing key.

    Or, since the firmware I'm referring to is for the BLE module, (not the entire AP), you could just leave it as is with the jumper off..

  20. Re:Why does a wireless access point have bluetooth by Opportunist · · Score: 1

    Again, this is the procurement version of it. You have a procurement manager who knows jack shit about routers. But you, in IT, can't simply go and purchase a sensible access point when you need one. You have to go through procurement. And procurement will buy the "most economic" solution. Which usually means the cheapest shit that fits the bill. And if you find different cheap shit, the one with the most filled tick boxes get bought.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  21. Re:Why does a wireless access point have bluetooth by skids · · Score: 1

    It's for new wayfinding and location-based features. And they leveraged it for console use, though you rarely ever need console on these things.

    Note the second CVE is not a "0-day". Aruba notified customers quite some time ago with workarounds (and a patch relaease, though only for their most-deployed chain.)

    And they knew before then (they said they had to notify earlier than they wanted due to someone leaking.)

    --
    Someone had to do it.
  22. Re:The ability to load unsigned firmware images is by skids · · Score: 1

    I'd love to get that horse back in the barn, but considering the tech docs for these chipsets are not released to customers, we'd have to round up the pony as well. You can hope the chips behave like some similar design but you never know if there's one register in there wired up differently on a device made custom fr a manufacturer.

    Also in this specific case they can hide behind the fact that the chipsets participate in RF and thus amateur firmware could cause illegal interference, so there's a mule out in the field as well (same problem with phone chipsets.)

    (Proper way to go about this is have the TPM allow a customer key, not publish your corporate private key. Preferably you can have more than one key, and disable the vendor key if needed. Main problem is making it easy for low-level IT guys to check what the status of the keys are... very low-level IT guys. So preventing the TPM from using keys it was not booted with and providing a service/mechanism that validates the running key.)

    --
    Someone had to do it.
  23. Re:Why does a wireless access point have bluetooth by Anonymous Coward · · Score: 1

    linksys is not owned by cisco. belkin bought it from cisco way back in march of 2013. but get with the program. it's not over yet, either, try to keep up... because now, foxconn is in process of buying belkin.

    but either way, belkin or foxconn, don't expect anything to improve on the security and update front. they're both worse than cisco was for security support of that product line, and far worse than linksys was on its own before that.

  24. Re:The ability to load unsigned firmware images is by Anonymous Coward · · Score: 0

    These are all manufacturers during the NSA/Snowden leak. What a coincidence they have such exploits?

  25. Bluetooth where it isn't needed by Anonymous Coward · · Score: 0

    Remind me why we put Bluetooth in everything nowdays?

    1. Re:Bluetooth where it isn't needed by Anonymous Coward · · Score: 0

      Because it's innovative (according to Apple)

  26. Re:The ability to load unsigned firmware images is by Anonymous Coward · · Score: 0

    Not True. Just upgrade the software.

    https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-006.txt

  27. marketing by mschaffer · · Score: 1

    Someone in marketing said that they need to put Bluetooth on the devices before the competition does. Now they have the most wireless in their wireless access points and have closed the Bluetooth "gap" with the competition.

  28. Re: The Linux link by Anonymous Coward · · Score: 0

    This one may not run Linux, but ARM cortex SoC's certainly can. Most Raspberry Pi's are running Linux.

  29. Re:Why does a wireless access point have bluetooth by MoreDruid · · Score: 1

    Doesn't seem to make sense to me.

    On a laptop, phone or tablet, you probably want bluetooth and wifi.

    But "enterprise" wifi access points are normally wired in with a controller, and I don't see what the bluetooth would be used for.

    What am I missing?

    IOT devices with low power BT are used for tracking. Some McDonalds in the Netherlands uses these to serve your order.

    --
    The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
  30. Re:The ability to load unsigned firmware images is by UperPoti · · Score: 1

    Would it not be preferable to just have the motherboard require a switch accessible by users when the case is fully assembled set to allow firmware updates?

  31. Say what now? by coofercat · · Score: 4, Informative

    I had to look at TFA to find out that:

    1) It has an auto-play video. Another to add to your blocker's blacklist

    2) BLE chips are used for IoT connectivity. I assume the Access Points run wifi for your phones and laptops and Bluetooth (LE) for your IoT devices. If you don't have any IoT, you don't need the BLE functionality (there may be a way to turn it off in these products, but knowing Cisco, you can turn the functionality off but it won't protect you from the vulnerability).

    In other words... IoT is a sack of insecure shite. If the device itself doesn't have vulnerabilities, the AP will. Great.

    1. Re:Say what now? by Anonymous Coward · · Score: 0

      I assume the Access Points run wifi for your phones and laptops and Bluetooth (LE) for your IoT devices.

      You assume incorrectly. Depending on the vendor, the BLE is used for a few different things. But, the primary function is location based tracking.

      What, you didn't know that these vendors have been selling(renting) their location tracking services to every retailer and venue out there? You didn't know that you don't have to connect to their APs for them to track you? You didn't know that they maintain records(many times personally identifying you) of when you've been there and where exactly you've traipsed amongst the aisles n the store?

      Well, then you probably also didn't know that they use this information to game your visits to their stores and also feed your data to advertisers for HIGHLY TARGETED location specific ads on screens in front of you(Think Minority Report retinal ID ads) as well as ON YOUR OWN FUCKING PHONE(You didn't know about BLE beacons?) even though you aren't connecting to their WiFi network and aren't even doing business with them.

      Surprise Motherfucker! It's got exactly ZERO to do with IoT it's all about tracking.
      https://create.meraki.io/guides/proximity-marketing/

      Yea, this vulnerability is just a tiny sip of justice served on Cisco et al.

  32. Re:Why does a wireless access point have bluetooth by lgw · · Score: 1

    Enterprise procurement works the same, is the point. The decision makers for very large purchases don't understand the technology, but they do understand feature checklists.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  33. Re:The ability to load unsigned firmware images is by AmiMoJo · · Score: 1

    A lot of these devices don't even store the firmware themselves any more. They just have a bootloader and the firmware is loaded every time they are powered up.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  34. Re:The ability to load unsigned firmware images is by Anonymous Coward · · Score: 0

    A lot of these devices don't even store the firmware themselves any more. They just have a bootloader and the firmware is loaded every time they are powered up.

    So what you are saying is they store the firmware and load it up each time they're powered on. Sure sounds like they're storing it to me...But they don't store the firmware themselves anymore. Do you realize you just completely and totally contradicted yourself?

  35. cell phone attack vector by Anonymous Coward · · Score: 0

    Re: several comments that wireless exploits demand physical presence - not true. Phish a trojan on to a few thousands cell phones from the other side of the planet and in no time flat you will have people carrying your attack into the most sensitive of data centers sniffing for vulnerable WiFi access point and proxying your attacks through the cell/Internet connection into the local WiFi / Bluetooth space.

  36. Re:The ability to load unsigned firmware images is by sjames · · Score: 1

    True, some don't, but the TI devices do have their own flash for firmware.

  37. Re:The ability to load unsigned firmware images is by sjames · · Score: 1

    Some devices have their own onboard flash and bootloader. Others have no internal flash and they are initialized by the main CPU and run out of the main device flash.

  38. Re: The Linux link by sjames · · Score: 1

    Cortex A runs linux, but cortex M used in bluetooth devices cannot.

  39. Re:The ability to load unsigned firmware images is by sjames · · Score: 1

    I said SHOULD, not DOES.

  40. Re:The ability to load unsigned firmware images is by sjames · · Score: 1

    That would be up to the manufacturer that incorporates the BLE module into the product.

  41. Re:Why does a wireless access point have bluetooth by Lev_Arris · · Score: 1

    Tracking and advertising. These things emit BLE beacons that apps on your smartphone pick up. This allows for analytics in malls, geofencing ads, ... (Look up Eddystone and iBeacon.) That coupon app for your supermarket chain? Allows them to track your every move through their store, from the moment you enter to when you check out.

    Other uses include "indoor GPS" (having the app show your location in the building on a map, ...).

    https://documentation.meraki.c...
    https://www.arubanetworks.com/...
    https://www.cisco.com/c/en/us/...

  42. Re:The ability to load unsigned firmware images is by Anonymous Coward · · Score: 0

    Congratulations for proving you have poor reading comprehension.

    He said not allowing the owner of the device to upload code was wrong, NOT that allowing anyone to upload code was right.

    He also gave an example for an authentication mechanism to determine who can upload new code. Which is absent in the vulnerability you're referring to.

    Further the vulnerability you're referring to would have still been present if they had required manufacturer signed firmware only. Which guess what? They do if it's enabled by the manufacturer of the device. Which means any vulnerability would be protected by the manufacturer and could only be fixed by the manufacturer, even if you knew exactly what bits were bad and how to fix them. The only difference in this case is that this particular vulnerability bypasses this restriction when enabled. Rendering the protection useless.

    So no, his "complaint" is different.