Posted on

VU#317277: Texas Instruments Microcontrollers CC2640 and CC2650 are vulnerable to heap overflow

CWE-119:Improper Restriction of Operations within the Bounds of a Memory Buffer CVE-2018-16986 – also known as BLEEDINGBIT The following Texas Instrument chips are affected: CC2640(non-R2)with BLE-STACK version 2.2.1 or an earlier version CC2650 with BLE-STACK version 2.2.1 or an earlier version CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22(BLE-STACK 3.0.0)CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38(BLE-STACK 2.3.3)or an earlier version The above Texas Instruments controllers contain BLE-Stacks with a memory corruption vulnerability resulting from the mishandling of BLE advertising packets. The function llGetAdvChanPDU that is part of the embedded ROM image in both chips handles the incoming advertising packets and parses their headers. It copies the contents to a separate buffer provided by the calling function. The incorrect length of the packet is taken and ends up being parsed as larger packets than originally intended. If the incoming data is over a certain length,the function will call the halAssertHandler function,as defined by the application running on top of the stack,and not stop execution. Since the flow of execution does not stop,it will copy the overly large packet to the buffer and cause a heap overflow. CVE-2018-7080 – also known as BLEEDINGBIT The following Texas Instruments devices are affected: CC2642R CC2640R2 CC2640 CC2650 CC2540 CC2541 An attacker could exploit the overflow in CVE-2018-16986 on certain network devices that use the above Texas Instruments chips if they have the Over the Air firmware Download(OAD)feature enabled to overwrite the firmware. The OAD feature allows for remote firmware updates of some BLE chips. An attacker could connect to a BLE chip on a vulnerable access point(either without authentication or by obtaining the password through other means depending on the implementation)and upload their own malicious firmware,which may contain malicious code that could give them complete control over the access point.

What are your thoughts?