Shulou(Shulou.com)06/01 Report--

What is the BLEEDINGBIT vulnerability analysis report? I believe many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

0x00 CVE-2018-16986 principle

BLE devices have five states in the LL layer: standby state (standby), no device is connected, no data is transmitted or transmitted; broadcast status (Advertiser/advertising); periodic broadcast; scanning status (Scanner/scanning) actively look for the device being broadcast; trigger status (Initiator/initiating): actively initiate connection; connection status (connected) connection is completed.

The state machine is as follows:

When the master device and the slave device begin to connect, the slave device enters the broadcast state from the standby state and periodically sends broadcast packets (advertising packets). The master device scans the broadcast packets sent from the slave device and processes the received broadcast packets. If you need to connect, the master will initiate a connection to the slave device. After the connection is completed, the master and slave devices will enter the connected state and communicate with each other.

The packet structure of the broadcast package is as follows:

The length field identifies the length of the broadcast packet data load, and the legal value is 6-37. This range of values is determined by the BLE protocol, but the maximum range of 6 bits is 64. If the protocol stack does not allocate more than 64 bytes of memory to the broadcast packet, and does not judge the validity of the length field when the broadcast packet is received, it may cause an overflow of the cache.

The researchers may have constructed illegal broadcast packets in the length domain and exploited cache overflow vulnerabilities.

First, the attacker sends multiple legitimate broadcast packets, which will be stored in the memory of the target device. These packages are not harmful, but they contain code that will be called later by the attacker.

Next, the attacker sends an overflow packet that causes the chip to get more memory from the length domain than it actually needs, triggering a memory overflow. The leaked memory contains function pointers-memory that points to specific segments of code that an attacker can use to point to code sent to a vulnerable chip in the previous phase of the attack.

Threat description

Distance is limited. An attacker is required to attack within the coverage of a Bluetooth broadcast packet.

Valid only for the main device. Because the vulnerability is caused by the cache overflow of the master device when scanning broadcasts, and the researchers do not disclose that the slave device will also have this vulnerability when receiving scan request packets or connection request packets, the vulnerability will not affect the slave device. At present, the vast majority of BLE devices are used as slaves, and this vulnerability poses a great threat to devices as hosts and devices with role-switching applications.

Scope of influence

CC2640 (non-R2 version) and CC2650 with protocol stack V2.2.1 or earlier

CC2640R2F, the protocol stack is simpleLink CC2640R2 SDK 1.00.00.22 (BLE-STACK 3.0.0) or earlier

CC1350, protocol stack is SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or earlier

Mitigation measures

TI has updated the protocol stack and the current version is V2.2.2.

For users who use CC2640 (non-R2 version) and CC2650, and the protocol stack is V2.2.1 or earlier, it is recommended to update the protocol stack to V2.2.2

With CC2640R2F, the protocol stack is a user of simpleLink CC2640R2 SDK 1.00.00.22 (BLE-STACK 3.0.0) or earlier, and it is recommended that the protocol stack be updated to SimpleLink CC2640R2F SDK version 1.30.00.25 (BLE-STACK 3.0.1) or later.

With CC1350, the protocol stack is a user of SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or earlier, and it is recommended that the protocol stack be updated to SimpleLink CC13x0 SDK version 2.30.00.20 (BLE-STACK 2.3.4) or later.

0x01 CVE-2018-7080

The vulnerability is targeted at Aruba's Access Point 300 series products, which use TI's BLE chip and apply the OAD (Over the Air firmware Download) function provided by the chip.

Principle

The OAD function is actually a backdoor reserved for firmware upgrades of the chip.

The ODA of TI can be divided into secure ODA and non-secure ODA. Secure ODA means that newly downloaded firmware is authenticated as part of the OAD process.

In Aruba's Access Point 300 series products, only hard-coded passwords are used to protect the OTA process, and the downloaded firmware is not authenticated. The researchers found that the hard-coded password could be recovered through the firmware or connection hardware officially downloaded by Aruba, and the BLE device could be accessed through this password.

Threat description

It is more harmful. Using TI BLE chips, products that apply the ODA function and do not authenticate the upgraded firmware may be attacked.

Scope of influence

CC2642R

CC2640R2

CC2640

CC2650

CC2540

CC2541

Aruba

AP-3xx and IAP-3xx series access points

AP-203R

AP-203RP

ArubaOS 6.4.4.x prior to 6.4.4.20

ArubaOS 6.5.3.x prior to 6.5.3.9

ArubaOS 6.5.4.x prior to 6.5.4.9

ArubaOS 8.x prior to 8.2.2.2

ArubaOS 8.3.x prior to 8.3.0.4

After reading the above, have you mastered the method of BLEEDINGBIT vulnerability analysis report? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.