BleedingBit Security Vulnerability
For more information, please see:
Zebra is unaware of any active exploits of this vulnerability. However, we recommend concerned customers update software for the two impacted Zebra products to mitigate the risk of exploitation. No additional LifeGuard updates will be made.
BLEEDINGBIT is a security vulnerability that affects Bluetooth® low energy (BLE) chips made by Texas Instruments. It consists of two related remote-control exploit issues:
A memory corruption condition (CVE-2018-16986) that can occur during processing of incorrect network traffic from the BLE module. A malicious actor who is close to the target device could execute arbitrary code by sending malformed data, or execute a DoS (denial-of-service) condition which could shut down the device.
An Over-The-Air Download (OAD) functionality issue (CVE-2018-7080) that can be triggered only when the relevant BLE radio function is enabled by the device owners (it is disabled by default). A malicious actor could push altered copies of these images to gain control of the device.
Only the following two BLE badge products are affected. Zebra mobile devices, handheld devices, barcode scanners and printers are not impacted.
|Zebra Product SKU||Description||Update Available|
|GE-MB6000-01-WR||Mobile BLE Badge||January, 2019|
|GE-MB5000-01-WR||Fixed BLE Badge||January, 2019|
Only the above Zebra devices are impacted by CVE-2018-16986 only and CVE-2018-7080 does not apply since the OAD feature in the Texas Instruments’ (TI) CC2640 BLE chip is disabled. The Zebra devices have an STMicroelectronics Microcontroller Unit (MCU) and BLE chip CC2640. The MCU firmware is written on CYPRESS WICED SDK. The firmware of the TI CC2640 is based on TI’s BLE SDK 2.1. The MCU connects to the CC2640 via a UART port. The MCU sends BLE HCI commands to the CC2640, the CC2640 does the BLE scanning continuously, and the CC2640 returns the scanned BLE packets in a predefined format to MCU.
During the scanning process, there is possible memory corruption in the CC2640 per CVE-2018-16986. If the CC2640 is exploited, it may send garbage data over the UART port to the MCU. The MCU may or may not discard the data, depending on the data itself. In this manner, the badge could become useless as there is no valid BLE packet data to collect inside the MCU.
If an attacker wants to gain full control of the device the attacker needs to first gain control of the MCU. The attacker would need to find an enabling vulnerability in WICED SDK and the STM MCU as well. The hacker would then need to attack the MCU through the exploited CC2640 chip via the UART port. The possibility of exploiting the MCU (achieved in conjunction with the exploitation of undiscovered vulnerabilities in both the Wicked SDK and the STM MCU) to gain full control over the device is relatively low.
To avoid the potential of this vulnerability, Zebra must port the CC2640 firmware code to the TI BLE SDK 2.2.2. For new device this updated CC2640 firmware code can be used. For deployed devices the updated CC2640 firmware can be updated over-the-air through the MCU where the MCU pushes the new firmware to CC2640 via UART port.
Disclaimer: Zebra makes every attempt to release security updates on or about the time that Google releases its respective security bulletin. However, delivery time of security updates may vary depending on the region, product model, and third party software suppliers. Under some circumstances, the OS must be updated to the latest maintenance release prior to installing the security updates. Individual product updates will provide specific guidance.
Unless otherwise noted, there have been no reports of active customer exploitation or abuse from these newly reported issues.
Are you aware of a potential security issue with a Zebra Technologies product?