search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Texas Instruments CC2640 and CC2650 microcontrollers vulnerable to heap overflow and insecure update

Vulnerability Note VU#317277

Original Release Date: 2018-11-01 | Last Revised: 2019-01-07

Overview

Texas Instruments CC2640 and CC2650 microcontrollers are vulnerable to a heap overflow and may allow unauthenticated firmware installation.

Description

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CVE-2018-16986 - also known as BLEEDINGBIT
The following Texas Instrument chips are affected:

  • CC2640 (non-R2) with BLE-STACK version 2.2.1 or an earlier version
  • CC2650 with BLE-STACK version 2.2.1 or an earlier version
  • CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0)
  • CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or an earlier version
The above Texas Instruments controllers contain BLE-Stacks with a memory corruption vulnerability resulting from the mishandling of BLE advertising packets. The function llGetAdvChanPDU that is part of the embedded ROM image in both chips handles the incoming advertising packets and parses their headers. It copies the contents to a separate buffer provided by the calling function. The incorrect length of the packet is taken and ends up being parsed as larger packets than originally intended. If the incoming data is over a certain length, the function will call the halAssertHandler function, as defined by the application running on top of the stack, and not stop execution. Since the flow of execution does not stop, it will copy the overly large packet to the buffer and cause a heap overflow.

CVE-2018-7080 - also known as BLEEDINGBIT
The following Texas Instruments devices are affected if the Over the Air firmware Download (OAD) feature is enabled and not sufficiently secured:
  • CC2642R
  • CC2640R2
  • CC2640
  • CC2650
  • CC2540
  • CC2541
  • Certain Aruba access points are affected.
The OAD feature allows for remote firmware updates of some BLE chips. An attacker could connect to a BLE chip on a vulnerable access point (either without authentication or by obtaining the password through other means depending on the implementation) and upload their own malicious firmware, which could give them complete control over the access point.

Impact

Using a specially crafted set of packets, an attacker can both control the data of the overflow, and the length of it, which may lead to remote code execution on the targeted BLE chip. An attacker needs to be within physical proximity to the device while it is in scanning mode to trigger vulnerable code. This memory corruption can lead to code execution on the main CPU of the device, which could have the potential to affect other devices across a network if the origin is a networked device. An attacker could also exploit this vulnerability to rewrite the operating system of a device and gain full control over it.

Given the nature of embedded devices, it is possible that a broader set of devices are impacted than what is listed in this publication. If you believe you are affected, please email us at cert@cert.org.

Solution

Update the BLE-Stack
This vulnerability was patched in BLE-Stack v2.2.2 released by Texas Instruments on March 28, 2018. Affected devices will require a firmware update to obtain the updated BLE-Stack.

Do not use the OAD feature in production
The OAD featrure is never meant to be used in production, so manufacturers should ensure that this feature is not enabled by default in live environments.

Vendor Information

317277
 

View all 159 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 7.9 AV:A/AC:M/Au:N/C:C/I:C/A:C
Temporal 6.2 E:POC/RL:OF/RC:C
Environmental 4.6 CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

We would like to thank Ben Seri at Armis for reporting this vulnerability.

This document was written by Madison Oliver.

Other Information

CVE IDs: CVE-2018-16986, CVE-2018-7080
Date Public: 2018-11-01
Date First Published: 2018-11-01
Date Last Updated: 2019-01-07 19:17 UTC
Document Revision: 70

Sponsored by CISA.