Summary

• On November 1st, 2018, Armis announced the presence of a Remote Code Execution (RCE) or Denial of Service (DoS) vulnerability in the Bluetooth Low Energy (BLE) Stack on Texas Instruments (TI) chips CC2640 and CC2650. This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID of CVE-2018-16986.
  
  The vulnerability is due to a memory corruption condition that may occur when processing malformed BLE frames. An attacker in close proximity to an affected device that is actively scanning could exploit the issue by broadcasting malformed BLE frames. A successful exploit may result in the attacker gaining the ability to execute arbitrary code or cause a denial of service condition on an affected device.

  There are no workarounds that address this vulnerability.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap

Affected Products

• Vulnerable Products

  The following table lists Cisco products that are affected by the vulnerability described in this advisory:

  Product	Cisco Bug ID	Fixed Release Availability
  Cisco 1540 Aironet Series Outdoor Access Points	CSCvk44163	8.8.100.0
  Cisco 1800i Aironet Access Points	CSCvk44163	8.8.100.0
  Cisco 1810 Aironet Access Points	CSCvk44163	8.8.100.0
  Cisco 1815i Aironet Access Points	CSCvk44163	8.8.100.0
  Cisco 1815m Aironet Access Points	CSCvk44163	8.8.100.0
  Cisco 1815w Aironet Access Points	CSCvk44163	8.8.100.0
  Cisco 4800 Aironet Access Points	CSCvk44163	8.8.100.0
  Meraki MR30H Access Point	N/A	MR 25.13 and later
  Meraki MR33 Access Point	N/A	MR 25.13 and later
  Meraki MR74 Access Point	N/A	MR 25.13 and later
  Meraki MR42E Access Point	N/A	MR 26.1 and later
  Meraki MR53E Access Point	N/A	MR 26.1 and later

  
  

  Determining if the Cisco Aironet Access Point Supports BLE

  Cisco Aironet Access Points first supported the BLE feature in software release 8.7, which means an Access Point is only vulnerable if running software release 8.7.102.0 or 8.7.106.0. To determine if a device supports BLE, the administrator can issue the show controllers bleRadio 0 interface command. If the command is not recognized or the error message BLE not supported on this platform is displayed, the Access Point does not support BLE and is considered not vulnerable.

  ap# show controllers bleRadio 0 interface
  % Unrecognized command

  ap# show controllers bleRadio 0 interface
  BLE not supported on this platform

  
  

  Determining if the Cisco Aironet Access Point with BLE Support is Vulnerable

  If a Cisco Aironet Access Point does support BLE, it is only vulnerable if BLE is active and BLE scan mode is enabled (BLE scan mode is disabled by default). The administrator can issue the show controllers bleRadio 0 interface command and if the Device Status is Unknown the Access Point is not vulnerable.

  ap# show controllers bleRadio 0 interface
  
  Active BLE host interface       : /dev/ttyMSM1
  Device Status                   : Unknown
  Device resets                   : 0
  Heart beat status               : Off

  
  

  The Cisco Aironet Access Points have BLE scan mode disabled by default. The administrator can issue show controllers bleRadio 0 timers and if the Scan timer status is Not Running, the Access Point is not vulnerable.

  ap# show controllers bleRadio 0 timers
  
  Timers
  ------
  Scan timer status       : Not Running

  
  

  In addition, if the administrator issues the show controllers bleRadio 0 scan brief and there are no entries displayed, the Access Point is not vulnerable.

  ap# show controllers bleRadio 0 scan brief
  Profile MAC  RSSI(-dBm)  RSSI@1meter(-dBm)  Last-heard

  
  

  Determining the BLE Status from the WLC Controller

  The administrator can also issue the WLC controller command show advanced ble summary to get the BLE status of the Access Point from the WLC controller.
  
  

  wlc# show advanced ble summary
  Global BLE Mgmt Admin State: DOWN
  
  BLE summary for all APs
  
  AP Name                       Interface        Admin State  Operation State 
  --------------------------    ---------        -----------  ---------------
  ap1800i-r2sw1-te-1-0-11       Integrated       DOWN         Non Operational    
  ap3800i_r2-sw1-Te1-0-5        USB dongle       DOWN         Non Operational

  
  
  

  Determining the Cisco Wireless LAN Controller Software Release

  To determine which Cisco Wireless LAN Controller (WLC) Software release is running on a device, administrators can use the controller’s web interface or the CLI.

  To use the web interface, do the following:

  1. In a browser, log in to the controller’s web interface
  2. Click the Monitor tab
  3. Click Summary in the left pane
  4. Under Controller Summary, the Software Version field shows the release number of the software that is currently running on the device

  To use the CLI, log in to the controller via Telnet, issue the show sysinfo command, and then refer to the value in the Product Version field of the command output. The following example shows the command output for a device that is running Cisco WLC Software Release 8.7.106.0:

  (wlc)> show sysinfo
  
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 8.7.106.0
  Bootloader Version............................... 1.0.1
  Field Recovery Image Version..................... 6.0.182.0
  Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
  Build Type....................................... DATA + WPS
  .
  .
  .

  
  

  Products Confirmed Not Vulnerable

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

  Cisco has confirmed that this vulnerability does not affect the following Cisco products:

  • Aironet 1800s Active Sensor
  • Aironet 1815t Series Access Points
  • Aironet 1830 Series Access Points
  • Aironet 1850 Series Access Points
  • Aironet 1560 Series Outdoor Access Points
  • Aironet 2800 Series Access Points
  • Aironet 3800 Series Access Points
  • Aironet Access Points - Running Cisco IOS Software

Workarounds

• There are no workarounds that address this vulnerability.
  

Fixed Software

• For information about fixed software releases, consult the Cisco bugs identified in the Vulnerable Products section of this advisory.
  
  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
  
  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco TAC or their contracted maintenance providers.

Exploitation and Public Announcements

• The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory.

Source

• Cisco would like to thank Ben Seri, VP of Research at Armis, for finding and reporting this vulnerability.

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap

Revision History

• Version	Description	Section	Status	Date
  1.4	The Meraki product names and firmware versions were updated.	Vulnerable Products	Final	2019-January-23
  1.3	The internal release mapping was updated.	N/A	Final	2019-January-02
  1.2	Added the WLC command "show advanced ble summary" to get the BLE status from the WLC controller.	Vulnerable Products	Final	2018-December-13
  1.1	Added Cisco Aironet 1560 Series Outdoor Access Points as not vulnerable.	Products Confirmed Not Vulnerable	Final	2018-November-02
  1.0	Initial public release.	—	Final	2018-November-01

  Show Less