Arbitrary code execution in Cisco devices



Published: 2018-11-02
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-16986
CWE-ID CWE-120
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Meraki MR74
Hardware solutions / Routers & switches, VoIP, GSM, etc

Meraki MR53E AP
Hardware solutions / Routers & switches, VoIP, GSM, etc

Meraki MR42E AP
Hardware solutions / Routers & switches, VoIP, GSM, etc

Meraki MR33 AP
Hardware solutions / Routers & switches, VoIP, GSM, etc

Meraki MR30H AP
Hardware solutions / Routers & switches, VoIP, GSM, etc

Cisco 4800 Aironet Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc

Cisco 1815w Aironet Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc

Cisco 1815m Aironet Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc

Cisco 1815i Aironet Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc

Cisco 1810 Aironet Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc

Cisco 1800i Aironet Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc

Cisco 1540 Aironet Series Outdoor Access Points
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor Cisco Systems, Inc

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Buffer overflow

EUVDB-ID: #VU15683

Risk: Medium

CVSSv3.1: 6.6 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16986

CWE-ID: CWE-120 - Buffer overflow

Exploit availability: No

Description

The vulnerability allows a physical attacker to execute arbitrary code on the target system.

The weakness exists due to boundary error when handling malicious input if BLE is turned on and the device is actively scanning. A physical attacker who is in range of the targeted device can send specially crafted packets containing malformed BLE frames, trigger memory corruption and execute arbitrary code. The attacker can also install a backdoor on the chip and then gain complete control of the system. In the case of access points, the attacker can use the compromised AP to spread to other devices on the network, even if segmentation is in place.

The vulnerability has been dubbed as "BLEEDINGBIT".

Mitigation

Update Cisco Aironet products to version 8.8.100.0. Update Meraki to version MR 25.13.

Vulnerable software versions

Meraki MR74: before MR 25.13

Meraki MR53E AP: before MR 25.13

Meraki MR42E AP: before MR 25.13

Meraki MR33 AP: before MR 25.13

Meraki MR30H AP: before MR 25.13

Cisco 4800 Aironet Access Points: before 8.8.100.0

Cisco 1815w Aironet Access Points: before 8.8.100.0

Cisco 1815m Aironet Access Points: before 8.8.100.0

Cisco 1815i Aironet Access Points: before 8.8.100.0

Cisco 1810 Aironet Access Points: before 8.8.100.0

Cisco 1800i Aironet Access Points: before 8.8.100.0

Cisco 1540 Aironet Series Outdoor Access Points: before 8.8.100.0

CPE2.3 External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###