Armis Discovers “BLEEDINGBIT,” Two Critical Chip-Level Vulnerabilities
Armis, the enterprise IoT security company, today announced the discovery of two critical vulnerabilities related to the use of Bluetooth Low Energy (BLE) chips made by Texas Instruments (TI), and used in Cisco, Meraki and Aruba wireless access points, called “BLEEDINGBIT.” If exploited, they allow an unauthenticated attacker to break into enterprise networks undetected, take over access points, spread malware, and move laterally across network segments. Neither of the vulnerabilities can be detected or stopped by traditional network and endpoint security solutions.
Enterprise Networks Impacted
The first BLEEDINGBIT vulnerability impacts the TI BLE chips (cc2640, cc2650) embedded in Cisco and Meraki Wi-Fi access points. If exploited, the proximity-based vulnerability triggers a memory corruption in the BLE stack, which could allow attackers to compromise the main system of the access point – thereby gaining full control over it.
The second issue impacts the Aruba Wi-Fi access point Series 300 with TI BLE chip (cc2540) and specifically its use of TI’s over-the-air firmware download (OAD) feature. This issue is technically a backdoor in BLE chips that was designed to allow firmware updates. The OAD feature is often used as a development tool, but is active in some production access points. It can allow a nearby attacker to access and install a completely new and different version of the firmware — effectively rewriting the operating system of the BLE chip, if not implemented correctly by the manufacturer. In default configurations, the OAD feature doesn’t automatically offer a security mechanism that differentiates a “good” or trusted firmware update from a potentially malicious update. By abusing this feature, an attacker can gain a foothold on an access point through which he can penetrate secure networks.
TI has already released software updates that address the first vulnerability. Cisco, Meraki, and Aruba are expected to have patches available by November 1. Armis is still in the process of assessing the full reach of the BLEEDINGBIT vulnerabilities — beyond the threat they pose on network infrastructure devices — and is working with CERT Coordination Center (CERT/CC) and various vendors to validate that appropriate patches are provided to every affected product.
“BLEEDINGBIT is a wakeup call to enterprise security for two reasons,” said Armis CEO Yevgeny Dibrov. “First, the fact that an attacker can enter the network without any indication or warning raises serious security concerns. Second, these vulnerabilities can break network segmentation — the primary security strategy that most enterprises use to protect themselves from unknown or dangerous unmanaged and IoT devices. And here, the access point is the unmanaged device.”
More Industries and Devices May Be Affected
While Armis found the vulnerabilities in Wi-Fi access points, they may manifest in in other types of devices and equipment used in a variety of industries as well.
“In this instance, we have clearly identified how BLEEDINGBIT impacts network devices,” said Ben Seri, VP of Research at Armis. “But this exposure potentially goes beyond access points, as these chips are used in many other types of devices and equipment. They are used in a variety of industries such as healthcare, industrial, automotive, retail, and more. As we add more connected devices taking advantage of new protocols like BLE, we see the risk landscape grow with it.”
How to Protect Yourself
To protect themselves, organizations with Cisco, Meraki, and Aruba access points should check for the latest updates. Manufacturers using these chips should upgrade to the latest BLE-STACK from TI.
Impacted Chips and Remediation
The first security vulnerability is present in these TI chips when scanning is used (e.g. observer role or central role that performs scanning) in the following device/software combinations and can be remediated as follows:
- For CC2640 (non-R2) and CC2650 with BLE-STACK version 2.2.1 or an earlier version are impacted, customers can update to version 2.2.2.
- For CC2640R2F, version 1.00.00.22 (BLE-STACK 3.0.0) is impacted, customers can update to SimpleLink CC2640R2F SDK version 1.30.00.25 (BLE-STACK 3.0.1) or later.
- For CC1350, version 2.20.00.38 (BLE-STACK 2.3.3) or earlier is impacted, customers can update to SimpleLink CC13x0 SDK version 2.30.00.20 (BLE-STACK 2.3.4) or later.
Additional updates on proper use of the OAD feature can be found here.
The BLEEDINGBIT vulnerabilities are the latest issues that illustrate new attack vectors targeting unmanaged and unprotected devices. Last year, Armis discovered BlueBorne, a set of nine zero-day Bluetooth-related vulnerabilities in Android, Windows, Linux and iOS that affected billions of devices, including smartphones, TVs, laptops, watches and automobile audio systems.
For a full report on BLEEDINGBIT, please visit https://armis.com/bleedingbit.
UK needs to talk to China to ensure cybersecurity
As the UK’s cybersecurity situation becomes more uncertain and vulnerable day by day, top cyber intelligence officers have spoken out about seeking alternative arrangements to ensure a more protected digital environment across the country.
Specifically, technical director of GCHQ’s National Cyber Security Centre, Ian Levy, has declared that the UK ought to forge a cyber relationship with China – a softer stance to the earlier warnings and red flags that were raised against Chinese companies – due to its rapid technological advance, great online influence, and its ability to provide support on a cybersecurity front.
During a speech at the Atlantic Future Forum in New York, delivered to a crowd of cyber professionals and military and intelligence executives, Levy said: “Like it or not, we are going to have to talk to China. The reality is they will own a huge chunk of internet structure going forward.
“Like it or not like it, they have 1.4 billion people who are going to be cybercrime victims. Like it or not like it, we are going to have to talk to them because we are going to get all the collateral damage from those attacks.”
Read more here.
Cybersecurity Career Pathway
There are many opportunities for workers to start and advance their careers within cybersecurity. This interactive career pathway shows key jobs within cybersecurity, common transition opportunities between them, and detailed information about the salaries, credentials, and skillsets associated with each role.
National Cybersecurity Career Awareness Week
The National Cybersecurity Career Awareness Week (NCCAW), brought to you by the National Initiative for Cybersecurity (NICE), is a week-long campaign focused on increasing awareness about careers in cybersecurity and building a national cybersecurity workforce to enhance America’s national security and promote economic prosperity. NICE brings to the forefront information of local, regional, and national interest to inspire, educate, and engage citizens to pique their interest in cybersecurity careers. National Cybersecurity Career Awareness Week takes place during November’s National Career Development Month, and each day of the week-long campaign provides an opportunity to learn about the contributions, innovations, and opportunities that can be found by choosing a career in cybersecurity.
Key Messages
Use these key messages to craft your own communications to your contacts. National Cybersecurity Career Awareness Week:
- creates excitement and increases public awareness and engagement in building a strong cybersecurity workforce
- emphasizes the demand and opportunities in the field of cybersecurity
- increases awareness around the multiple career options within the field of cybersecurity
- highlights the numerous pathways to enter the cybersecurity career field
- advances the NICE Strategic Plan objective to inspire cybersecurity career awareness with students
- showcases efforts to increase participation of women, minorities, veterans, persons with disabilities, and other underrepresented populations in the cybersecurity workforce
Help make this National Cybersecurity Career Awareness Week campaign a success. Visit the NCCAW website to see what tools and resources you can use to help promote the week-long effort to your connections.
CVE-2018-17914
Description
InduSoft Web Studio versions prior to 8.1 SP2, and InTouch Edge HMI (formerly InTouch Machine Edition) versions prior to 2017 SP2. This vulnerability could allow an unauthenticated user to remotely execute code with the same privileges as that of the InduSoft Web Studio or InTouch Edge HMI (formerly InTouch Machine Edition) runtime.
Source: MITRE
Description Last Modified: 11/02/2018
References to Advisories, Solutions, and Tools
By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.
| Hyperlink | Resource |
|---|---|
| https://ics-cert.us-cert.gov/advisories/ICSA-18-305-01 |
Complementing a Security Management Model with the 20 Critical Security Controls: Academic Paper
The complexity and velocity of the threats organizations are facing are only escalating and there is a definite need for careful analysis of the attack trends to determine effective mitigations. According to a study by Verizon, 92% of data breaches in 2012 were perpetrated by outsiders and one-fifth of all data breaches were connected with state affiliated actors, which highlights that the sophistication and resources available to conduct attacks is growing. Furthermore, 69% of breaches were discovered by an external party and often went months before they were detected, offering a glimpse into the how little visibility organizations have into active attacks (Verizon, 2013, pp. 5-6). Of the top threat actions identified in 2012, which were tampering, spyware, backdoor, export data, use of stolen credentials, capture stored data, phishing, command and control, downloader, and brute force, there were seven threat actions related to malware. The analysis and recommendations by Verizon stated the Critical Security Controls, if implemented, could have directly limited the success of the top threat actions, leading to their recommendation that most organizations could benefit from implementing all of the Critical Security Controls to some level (Verizon, 2013, p. 58).
Of the organizations affected by data breaches in 2012, they are a cross section of small to large organizations, geographically spanning 27 countries and representing a diverse assortment of industries (Verizon, 2013, pp. 4-5). These organizations probably had reasonable security controls in place, such as firewalls, antivirus, and security policies, and given the widespread reference and adoption of various security management models, such as ISO 27000, COBIT, NIST, and other compliance frameworks, such as PCI DSS, these organizations undoubtedly had access to industry best practices and recommendations. However, even with all these good resources, organizations are increasingly finding themselves reacting to security breaches, often as a result of notification by outside parties, which have caused damage to the organizations reputation and actual economic losses of information and intellectual property.
John Pescatore, a seasoned security analyst formerly with Gartner and now with the SANS Institute noted, “Most of the Compliance regimes are invariably rigid, top-down structures, whereas the CSC effort is purposely bottomup” (Pescatore, 2013, p. 20). This characterization could point to the reason there is an apparent disconnect between many organizations attempts to maintain compliance with various security management models and the fact that they are not effectively stopping attacks. A recent report by the Center for Strategic and International Studies makes an interesting point about compliance frameworks:
“The older compliance and audit-based approach found in legislative mandates like the Health Information Portability and Accountability Act (HIPAA), the Federal Information Security Management Act (FISMA), and the Financial Services Modernization Act (also known as Graham-Leach-Blilely, GLB) is both resource intensive and ineffective. Compliance is usually a good thing, but in cybersecurity it came to stand for a static, paper-driven method that was expensive without providing equivalent benefits” (Lewis, 2013, p. 7).
The new approach to cyber security is based on evaluation of attack data and what measures have effectively prevented attacks. The resulting analysis and recommendations are offering organizations a change to assess their security environment with a clear goal in mind.
The stated goal of the Critical Security Controls is to, “…protect critical assets, infrastructure, and information by strengthening your organization’s defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.” The controls were developed by experts from various government agencies including the NSA, FBI, US Department of Defense, US Department of Homeland Security, the UK government’s Centre for the Protection of Critical Infrastructure, and the Australian Defence Signals Directorate, with the assistance of various other industry recognized professionals. Five principles of an effective cyber security defense are reflected in the Critical Security Controls:
- “Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.
- Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics professionals” (Council on CyberSecurity, 2013, pp. 2-3).
The Critical Security Controls represent controls that are already found in many of the security management models in use today and are not meant to replace these models, but to focus and prioritize the controls that are implemented to achieve significant reductions in attack success. Simply put, the Critical Security Controls represent the controls most likely to enhance an organization’s security posture, and provide a guide to management to know where to focus their attention and resources first. One reason that makes the Critical Security Controls so valuable to smaller organizations, is they allow an organization to leverage the expertise of government, industry, and academia in determining what threats and vulnerabilities they are likely to face and should therefore allocate their resources to defend (Sager, 2013, p. 1).
The consensus based risk assessment approach essentially allows for a risk assessment based on what the community of experts are seeing, rather than only relying on the expertise internal to one organization to determine the right responses. Tony Sager, the former chief of the information assurance directorate at the NSA, asserts the Critical Security Controls are a “foundational risk assessment” that allows an organization to use it to determine where to start taking action. The case for why the Critical Security Controls are relevant is simply that organizations today use common technologies and face common threats in an increasingly interconnected environment where organizations are linked to each other, so a common baseline of Critical Security Controls is applicable to many organizations. Additionally, organizations may not have access to the resources and expertise to produce the results of the Critical Security Controls, so by leveraging the power of the community, they are in a better position to quickly assess and implement a baseline of defenses to thwart most attacks and then can concentrate their focus on specific threats to their business to further enhance their security posture (Sager, 2013, pp. 1-2).
Expanding on the concept of using the Critical Security Controls as a foundational risk assessment is the goal of implementing continuous monitoring. Given the dynamic nature of risks organizations face, there is an incentive to consider the move to continuous monitoring as a way to ensure risks are being managed effectively. Risk assessment should not be a periodic activity, but should be integrated with the continuous monitoring approach used to manage risks based on the constant stream of new information available. The Critical Security Controls offer another key advantage in this space as they provide an organization with a prioritized list of the most important elements to target for continuous monitoring (Sager, 2013, p. 3).
Automation of the continuous monitoring process is also key in leveraging the ability of the controls to quickly provide value to an organization. A central philosophy in the design of the Critical Security Controls is that, “…any defenses that can be automated, should be automated,” enabling rapid detection and mitigation of attacks to an organization’s network, with the goal of minimizing the damage (Tarala, 2012, p. 1). Today’s organizations are up against some very sophisticated attacks, including malware that have the potential to avoid signature-based detection and also have the ability to disable antivirus and other security tools. This stresses the importance of having automated controls such as application whitelisting, intrusion detection systems, and asset tracking systems that run and report automatically (Tarala, 2012, p. 5). The principle way to accomplish automation and continuous monitoring is by deploying sensors to collect threat data from inbound and outbound network traffic and report it for correlation and further analysis. The Critical Security Controls outline 45 different sensors that can be put into use by organizations. These include asset tracking, vulnerability management systems, patch management systems, intrusion detection systems, authentication systems, and file integrity systems (Tarala, 2012, pp. 6-7). Automation does not eliminate the need for intelligent people to analyze the information and determine how to respond, though it does maximize their efficiency and effectiveness by knowing when and where attacks are happening so they can focus their time remediating any issues that arise.
Conclusion
The Critical Security Controls offer a compelling incentive to organizations to align their security environment with these effective mitigations and reduce their potential for successful attacks. As organizations implement these controls, it is likely they will realize cost savings through automation, increased visibility into the actual threats they face through continuous monitoring, and an overall lower risk of cyber attack, espionage, and theft, which can be a competitive advantage for any organization in today’s increasingly connected world.
References
Council on CyberSecurity. (2013, March). Critical Controls for Effective Cyber Defense – Version 4.1. Retrieved from Council on CyberSecurity: http://www.counciloncybersecurity.org/images/downloads/Critical%20Controls%20v4.1.pdf
Lewis, J. A. (2013, February). Raising the Bar for Cybersecurity. Retrieved from Center for Strategic and International Studies: http://csis.org/files/publication/130212_Lewis_RaisingBarCybersecurity.pdf
Pescatore, J. (2013, June). SANS 2013 Critical Security Controls Survey: Moving From Awareness to Action. Retrieved from SANS: http://www.sans.org/critical-security-controls/CSC_Survey_2013.pdf
Sager, T. (2013, March). The Critical Security Controls: The Foundation For An Enterprise Risk Management Framework. Retrieved from NIST: http://csrc.nist.gov/cyberframework/rfi_comments/040813_sans_sager_controls_part2.pdf
Tarala, J. (2012, June). Streamline Risk Management by Automating the SANS 20 Critical Security Controls. Retrieved from SANS: http://www.sans.org/reading-room/analysts-program/streamline-risk
Verizon. (2013). 2013 Data Breach Investigation Report. Retrieved from Verizon: http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf
