Arbitrary code execution in Cisco devices
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-16986 |
| CWE-ID | CWE-120 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Meraki MR74 Hardware solutions / Routers & switches, VoIP, GSM, etc Meraki MR53E AP Hardware solutions / Routers & switches, VoIP, GSM, etc Meraki MR42E AP Hardware solutions / Routers & switches, VoIP, GSM, etc Meraki MR33 AP Hardware solutions / Routers & switches, VoIP, GSM, etc Meraki MR30H AP Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco 4800 Aironet Access Points Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco 1815w Aironet Access Points Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco 1815m Aironet Access Points Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco 1815i Aironet Access Points Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco 1810 Aironet Access Points Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco 1800i Aironet Access Points Hardware solutions / Routers & switches, VoIP, GSM, etc Cisco 1540 Aironet Series Outdoor Access Points Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Buffer overflow
EUVDB-ID: #VU15683
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-16986
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a physical attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling malicious input if BLE is turned on and the device is actively scanning. A physical attacker who is in range of the targeted device can send specially crafted packets containing malformed BLE frames, trigger memory corruption and execute arbitrary code. The attacker can also install a backdoor on the chip and then gain complete control of the system. In the case of access points, the attacker can use the compromised AP to spread to other devices on the network, even if segmentation is in place.
The vulnerability has been dubbed as "BLEEDINGBIT".
MitigationUpdate Cisco Aironet products to version 8.8.100.0. Update Meraki to version MR 25.13.
Vulnerable software versionsMeraki MR74: All versions
Meraki MR53E AP: All versions
Meraki MR42E AP: All versions
Meraki MR33 AP: All versions
Meraki MR30H AP: All versions
Cisco 4800 Aironet Access Points: All versions
Cisco 1815w Aironet Access Points: All versions
Cisco 1815m Aironet Access Points: All versions
Cisco 1815i Aironet Access Points: All versions
Cisco 1810 Aironet Access Points: All versions
Cisco 1800i Aironet Access Points: All versions
Cisco 1540 Aironet Series Outdoor Access Points: All versions
CPE2.3- cpe:2.3:h:cisco_systems:meraki_mr74:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:meraki_mr53e_ap:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:meraki_mr42e_ap:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:meraki_mr33_ap:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:meraki_mr30h_ap:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_4800_aironet_access_points:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_1815w_aironet_access_points:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_1815m_aironet_access_points:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_1815i_aironet_access_points:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_1810_aironet_access_points:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_1800i_aironet_access_points:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_1540_aironet_series_outdoor_access_points:*:*:*:*:*:*:*:*
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
