Multiple vulnerabilities in BLE-stack
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-16986 CVE-2018-7080 |
| CWE-ID | CWE-120 CWE-264 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
BLE-STACK Universal components / Libraries / Software for developers |
| Vendor | Broadcom |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU15683
Risk: Medium
CVSSv3.1: 6.6 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16986
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a physical attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling malicious input if BLE is turned on and the device is actively scanning. A physical attacker who is in range of the targeted device can send specially crafted packets containing malformed BLE frames, trigger memory corruption and execute arbitrary code. The attacker can also install a backdoor on the chip and then gain complete control of the system. In the case of access points, the attacker can use the compromised AP to spread to other devices on the network, even if segmentation is in place.
The vulnerability has been dubbed as "BLEEDINGBIT".
MitigationUpdate BLE-stack to version 2.2.2.
Vulnerable software versionsBLE-STACK: before 2.2.2
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Privilege escalation
EUVDB-ID: #VU15684
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2018-7080
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a physical attacker to gain full control over on the target device.
The weakness exists due to an error when handling malicious input if the device using the chip has the over-the-air firmware download (OAD) feature enabled. A physical attacker who acquired the password by sniffing a legitimate update or reverse-engineering Aruba’s BLE firmware can connect to the BLE chip on a vulnerable access point, upload a malicious update to the targeted AP containing the attacker’s own code, completely rewrite the operating system and gain full control over it.
The vulnerability has been dubbed as "BLEEDINGBIT".
MitigationIt is recommended you ensure the OAD functionality is not active in live, production environments without the proper security addressed.
Vulnerable software versionsBLE-STACK: All versions
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
