There are two flaws affecting Bluetooth Low Energy (BLE) chips made by Texas Instrument that could expose enterprise networks to attacks within Bluetooth range.
The bugs, tracked as CVE-2018-16986 and CVE-2018-7080, affect BLE chips used in a range of Cisco, Aruba, and Cisco-owned Meraki wireless access points.
The Texas Instruments (TI) chips are commonly used within wi-fi access points for enterprise networks, but BLE chips in general are also used in retail, healthcare, and other smart home equipment.
Researchers from security firm Armis who discovered the flaws focussed solely on BLE vulnerabilities in on wireless access points (AP), meaning the vulnerabilities could exist within other products not within scope.
They dubbed the flaws Bleedingbit because of one bit transmitted when BLE-equipped devices are connecting that can leak memory, which an attacker can use to install a backdoor on the affected BLE chip.
The attacker can use the backdoor to install new firmware on the compromised device’s main processor and hop over to other BLE-enabled devices.
“In the case of an access point, once the attacker gained control he can reach all networks served by it, regardless of any network segmentation. Furthermore, the attacker can use the device in his control to spread laterally to any other device in its vicinity, launching a truly airborne attack,” Armis researchers explained.
The last major Bluetooth flaw company found was BlueBorne, which prompted a major cleanup effort by vendors of devices with a vulnerable Bluetooth stack running on Android, iOS, Windows, and Linux.
The bug CVE-2018-16986 affects Cisco and Meraki wireless access points, while CVE-2018-7080 affects Aruba wireless access points.
"An attacker who is able to exploit the vulnerability could install new, potentially malicious firmware into the AP's BLE radio and could then gain access to the AP's console port," said Aruba in its advisory.
Cisco said that Aironet APs running software release 126.96.36.199 or 188.8.131.52 are vulnerable because these are the only releases that support BLE. Additionally, the AP is only vulnerable if BLE is active and BLE scan mode is enabled, and scan mode is disabled by default.
Cisco has confirmed the follow products are vulnerable: Aironet 1800s Active Sensor; Aironet 1815t Series Access Points; Aironet 1830 Series Access Points; Aironet 1850 Series Access Points; Aironet 2800 Series Access Points; Aironet 3800 Series Access Points; and Aironet Access Points - Running Cisco IOS Software.
Aruba gear affected include: AP-3xx and IAP-3xx series access points; AP-203R; AP-203RP; ArubaOS 6.4.4.x prior to 184.108.40.206; ArubaOS 6.5.3.x prior to 220.127.116.11; ArubaOS 6.5.4.x prior to 18.104.22.168; ArubaOS 8.x prior to 22.214.171.124; and ArubaOS 8.3.x prior to 126.96.36.199.