Millions of Wi-Fi access points sold by Cisco, Meraki, and Aruba have two major hidden vulnerabilities that could allow hackers to run malware in sensitive networks that use the gear. While the flaws open corporate networks to some serious attacks, the real-world possibility of them being exploited is debatable.
In a Report published ThursdaySecurity company Armis said two flaws were found in it Bluetooth Low Energy chips manufactured by Texas Instruments can be used to hack APs that have them installed. BLE chips offer many enhancements to traditional Wi-Fi APs. Retailers, for example, can use them to track customer movements inside stores by monitoring Bluetooth beacons sent by customers’ phones. Hospitals can use BLE to keep track of Bluetooth-enabled medical devices. Cisco (which also makes Meraki gear) and Aruba have both issued patches that users of the affected gear should install as soon as possible.
Unfortunately, hackers can also use vulnerable BLE chips to control APs. Attackers armed with small Bluetooth devices need only two minutes to spread and install malicious firmware on vulnerable chips. From there, malware can install AP firmware that monitors communications, infects end users, or spreads to other parts of a corporate network.
Full access, no verification required
“Both of the vulnerabilities allow a completely unauthorized individual to be able to first get hold of the BLE chip,” Armis CTO and developer Nadir Esra told Ars, “but secondly, because of the BLE chip’s location between the software stack and the firmware, it allows . privileged access to the access point itself. ” With the ability to control the AP, attackers can gain access to some of the most vulnerable parts of a corporate network.
The vulnerability affecting Cisco and Meraki gear is a combination of overflow and overflow on static variables, either of which can be used to corrupt the chip’s memory and execute malicious code. The attacks require BLE to be turned on and device detection turned on to enable it. (By default, scanning is turned off on all vulnerable devices, while BLE is turned off on some but not all.) With BLE turned on and scanning enabled, attacks launched by The BLE device within the radio range is reliable because the embedded chips provided are not available. exploit mitigations.
Armis Head of Research Ben Seri said that some custom attack code is needed for APs running different TI firmware versions. But he also said that it would not be difficult to create an exploit weapon that combines all the vulnerabilities and automatically uses whatever is needed to exploit a specific vulnerability mechanism. The exploit works by sending malicious BLE messages (called advertisement packets) that are stored in the memory of the vulnerable chip. Embedded in the packets is code that is not detected by traditional anti-virus products and is called by a later attack.
The attacker then triggers the flood by sending a standard advertisement packet with a subtle change—a specific bit in the header is turned on instead of off. The over bit causes the chip to allocate data in a larger chunk of memory than needed. The flaw causes the chip to leak parts of memory that an attacker can use to execute code sent in advertising packets in a previous phase. The user now has the ability to back up to the chip and, from there, attack the AP’s main processor.
“A critical aspect of this vulnerability is that it occurs when a BLE chip (such as one embedded in access points) is listening for advertising packets,” Seri wrote in an email. “So any AP in that state will be vulnerable to this attack. The trainer does not need to target a specific AP. You can simply send these malicious broadcast packets, and any vulnerable AP within range will be infected (simultaneously).” The vulnerability is indexed as CVE-2018-16986.
The second vulnerability is known so far only to affect APs from Aruba. CVE-2018-7080 is the result of an over-the-air firmware download feature that TI built into its chips so that device makers can update firmware more easily while developing their products. While the manufacturer doesn’t intend for the feature to be available in production devices used by end users, Armis said, Aruba does make a password-protected version of the update available in the Aruba 300 series APs. The password used on all devices is the same.
“Any attacker who obtains the password by performing a legitimate update or by modifying the device’s operating system can force any vulnerable site in the environment to download a fraudulent update containing the attacker’s personal code, effectively allowing complete rebuild (of) your operating system. , thus having full control over it,” said Thursday’s report.
What is harmful (and when)?
According to Armis, CVE-2018-16986 is available when using the virus in the following chip/firmware combinations:
- CC2640 (non-R2) with BLE-STACK version 2.2.1 or earlier version; or
- CC2650 with BLE-STACK version 2.2.1 or earlier version; or
- CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0); or
- CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or an earlier version.
Affected APs include:
- Cisco 1800i Aironet Access Points
- Cisco 1810 Aironet Access Points
- Cisco 1815i Aironet Access Points
- Cisco 1815m Aironet Access Points
- Cisco 1815w Aironet Access Points
- Cisco 4800 Aironet Access Points
- Cisco 1540 Aironet Series Outdoor Access Point
- Meraki MR30H AP
- Meraki MR33 AP
- Meraki MR42E AP
- Meraki MR53E AP
- Meraki MR74
CVE-2018-7080, Armis said, affects the Aruba 300 series APs, although Aruba’s advisory has listed additional devices.
In the email, Cisco confirmed the vulnerabilities when the affected devices have BLE turned on and the scanner is enabled. Scanning is disabled by default for all affected products, and the BLE feature is disabled by default on affected Aironet devices. Cisco has documentation about vulnerabilities Here, Herewe had Here.
An Aruba representative said that the company had a business patch for weakness on October 18. The advisory states that the following APs are affected:
- AP-3xx and IAP-3xx series access points
- ArubaOS 6.4.4.x before 22.214.171.124
- ArubaOS 6.5.3.x before 126.96.36.199
- ArubaOS 6.5.4.x before 188.8.131.52
- ArubaOS 8.x before 184.108.40.206
- ArubaOS 8.3.x before 220.127.116.11
By default, the Aruba representative said, BLE in the AP-3xx, AP-207, and AP-203R (P) devices is turned off, and the company is not aware of any customers using it.
Texas Instruments issued a statement that addressed some of the details in Thursday’s report. Among other things, TI said it released a software update earlier this year that fixes CVE-2018-16986. (Armis, meanwhile, said that TI only recognized the defect as a stable issue at the time.) TI has corrections and documentation available. Here.
Yes, not good, no (but patchy anyway)
On one level, the inefficiencies are shockingly bad. Given the control of the bugs giving attacks and the ability for hackers to detect them using relatively sophisticated techniques, it is difficult to understand why TI and Cisco did not recognize the glaring vulnerability caused by the flood and why Aruba has updated the over-the-air download feature in APs and customers.
At another level, however, a large amount of work is required to exploit these vulnerabilities in a way that gives attackers the control they ultimately want. Attackers must first invest time in finding vulnerabilities and developing highly complex code that exploits them. Then they must develop more complex firmware that backs up the chip without interfering with its normal functions. The amount of technical change and code development involved is significant.
While greater control over a company’s access point is a nice reward, it’s not as high a return on investment as, say, gaining control over the server that stores all of the company’s employee password data or databases. customer data. Dan Guido, a mobile security expert and CEO of the security company Trail of Bits, summarizes the situation this way:
The chance of co-discovery here is pretty small. The resources to replicate this attack are high. The window of opportunity to exploit it is really small, and the access you get is not that useful, because instead of being root on some Windows box, you’ll just get code execution on some weird chip where you now ‘ve to build custom payloads and engineer all kinds of custom patterns and find a way to manipulate this object in a specific mechanism. It’s just not useful for most attacks.
Then there is the requirement that the attacker be within radio range of the target. There aren’t many well-known instances of sophisticated exploits in the mockery that require physical proximity to the target. One that comes to mind is the TJ Maxx security breach from the mid-2000s hit more than 100 million customer records. According to Wall Street Journal, it was carried out, at least in part, by hackers who used a telescope-shaped antenna and a laptop to intercept data flowing through a Wi-Fi network used at a nearby Marshalls discount clothing store St. Paul, Minnesota. While data is encrypted using the WEP protocol, remote hackers need an hour or so to crack the key.
But hacking into a retailer’s unsecured Wi-Fi network is much easier to do than the kind of highly specialized attack described in Wednesday’s report. (True to Armis, though, once attackers make the initial, high investment in transformative technology and application development, they can send gloves armed with BLE-enabled devices to areas of is targeted from the seed of the attack. Once the AP in the network is infected, physical proximity is no longer required.)
Asked for examples of proximity-based attacks used in the real world, Armis’ Seri pointed to the catalog of NSA tools leaked by former employee Edward Snowden. A a tool called Nightstand allow the agency’s hackers to use Wi-Fi signals to compromise Windows computers.
Seri said of an NSA application as an example of a real-world threat caused by proximity attacks only seems to continue the case of BLE attacks described on Thursday (Armis calls them Bleedingbit) and not such attacks more than. companies will ever see. Seri, who has experience building weapons, continues to disagree.
“This type of attack, if you compare it to a lot of other attacks, is pretty simple,” he told Ars. “You might think there are a lot of bits here. This is complicated. A coach knows that every attack is complicated in some way. But once you get past the research stage (and) you have your exploit code, you just send it off, and you’re in.”