CVE-2018-16986:
CVE-2018-16986: A remote code execution (and potential denial of service) vulnerability in Texas Instruments BLE-STACK v2.2.1 for SimpleLink CC2640 and CC2650 devices allows an attacker to execute arbitrary code by sending a malformed Bluetooth Low Energy packet that overflows a buffer.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.8High- Published Date:Nov 6, 2018
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:2.6
- EPSS Percentile:86%
Exploitability
- Score:2.8
- Attack Vector:ADJACENT_NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2018-16986: A remote code execution (and potential denial of service) vulnerability in Texas Instruments BLE-STACK v2.2.1 for SimpleLink CC2640 and CC2650 devices allows an attacker to execute arbitrary code by sending a malformed Bluetooth Low Energy packet that overflows a buffer.
Overview
This CVE concerns a buffer overflow flaw in TI’s BLE-STACK v2.2.1 implemented on SimpleLink CC2640/CC2650 devices, which can be exploited by a remote attacker via a malformed BLE packet to achieve arbitrary code execution. The issue is documented as a denial of service and remote code execution vulnerability and has been disclosed by TI and multiple third-party security advisories. The vulnerability highlights the risk of remote compromise for devices running the affected stack and emphasizes the need for applying vendor-provided fixes.
Remediation
- Upgrade to a BLE-STACK version that contains the fix for this vulnerability (check TI’s official advisory and release notes and apply the recommended firmware/stack update for CC2640/CC2650 devices).
- Apply the vendor advisories and security patches referenced by TI (e.g., Cisco advisory, CERT notes) and verify that all affected devices receive the updated stack.
- After upgrading, reflash devices with the patched BLE-STACK and validate basic BLE functionality and firmware integrity.
- If upgrading is not immediately possible, harden exposure by limiting BLE surface exposure where feasible (network segmentation, restricting devices that can communicate with the BLE stack, and monitoring for anomalous BLE traffic) and implement a process to monitor for indicators of compromise.
- Establish a regression test plan to ensure no disruption to legitimate BLE operations post-update and maintain an asset inventory of devices with their BLE stacks and versions.
References
- - ArmIs BleedingBit. https://armis.com/bleedingbit/
- - TI E2E Forum: BLE/CC2640/CC2650 discussion. http://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/742827
- - SecurityTracker. 1042018. http://www.securitytracker.com/id/1042018
- - CERT Vulnerability Note VU#317277. https://www.kb.cert.org/vuls/id/317277
- - SecurityFocus BID 105812. http://www.securityfocus.com/bid/105812
- - Cisco Security Advisory: cisco-sa-20181101-ap. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
