Texas Instruments CC2640 and CC2650 microcontrollers are vulnerable to a heap overflow and may allow unauthenticated firmware installation.
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2018-16986 - also known as BLEEDINGBIT
CVE-2018-7080 - also known as BLEEDINGBIT
The following Texas Instruments devices are affected if the Over the Air firmware Download (OAD) feature is enabled and not sufficiently secured:
Using a specially crafted set of packets, an attacker can both control the data of the overflow, and the length of it, which may lead to remote code execution on the targeted BLE chip. An attacker needs to be within physical proximity to the device while it is in scanning mode to trigger vulnerable code. This memory corruption can lead to code execution on the main CPU of the device, which could have the potential to affect other devices across a network if the origin is a networked device. An attacker could also exploit this vulnerability to rewrite the operating system of a device and gain full control over it.
Update the BLE-Stack
We would like to thank Ben Seri at Armis for reporting this vulnerability.