Sign-up

ID

VAR-201811-0299


CVE

CVE-2018-16986


TITLE

Texas Instruments CC2640 and CC2650 microcontrollers vulnerable to heap overflow and insecure update

Trust: 0.8

sources: CERT/CC: VU#317277

DESCRIPTION

Texas Instruments BLE-STACK v2.2.1 for SimpleLink CC2640 and CC2650 devices allows remote attackers to execute arbitrary code via a malformed packet that triggers a buffer overflow. Texas Instruments Microcontroller CC2640 and CC2650 Used in the firmware of BLE-Stack Contains a buffer overflow vulnerability. Insufficient memory operation range (CWE-119) - CVE-2018-16986 Texas Instruments Microcontroller CC2640 and CC2650 Used in the firmware of BLE-Stack Is BLE advertising There is a problem with packet processing. In the chip ROM Included in the image llGetAdvChanPDU Function received advertising Parses the packet and copies its contents to another buffer. If the received data exceeds a certain length, BLE-Stack Included in applications that run on halAssertHandler It is a mechanism to call a function and continue processing. The following chips are vulnerable: CC2640 (non-R2) with BLE-STACK version 2.2.1 or prior CC2650 with BLE-STACK version 2.2.1 or prior CC2640R2F with SimpleLink CC2640R2 SDK version 1.00.00.22 (BLE-STACK 3.0.0) CC1350 with SimpleLink CC13x0 SDK version 2.20.00.38 (BLE-STACK 2.3.3) or prior

Trust: 2.61

sources: NVD: CVE-2018-16986 // CERT/CC: VU#317277 // JVNDB: JVNDB-2018-008978 // BID: 105812

IOT TAXONOMY

category:['network device']sub_category:bluetooth device

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:timodel:ble-stackscope:eqversion:3.0.0

Trust: 1.0

vendor:timodel:ble-stackscope:lteversion:2.2.1

Trust: 1.0

vendor:timodel:ble-stackscope:lteversion:2.3.3

Trust: 1.0

vendor:arubamodel: - scope: - version: -

Trust: 0.8

vendor:ciscomodel: - scope: - version: -

Trust: 0.8

vendor:texas instrumentsmodel: - scope: - version: -

Trust: 0.8

vendor:texas instrumentmodel:ble-stackscope:ltversion:v2.2.2 earlier

Trust: 0.8

vendor:timodel:simplelink cc2640r2 sdkscope:eqversion:1.00.00.22

Trust: 0.3

vendor:timodel:simplelink cc13x0 sdkscope:eqversion:2.20.00.38

Trust: 0.3

vendor:timodel:cc2650scope:eqversion:0

Trust: 0.3

vendor:timodel:cc2640r2fscope:eqversion:0

Trust: 0.3

vendor:timodel:cc2640scope:eqversion:0

Trust: 0.3

vendor:timodel:cc1350scope:eqversion:0

Trust: 0.3

vendor:timodel:ble-stackscope:eqversion:3.0

Trust: 0.3

vendor:timodel:ble-stackscope:eqversion:2.3.3

Trust: 0.3

vendor:timodel:ble-stackscope:eqversion:2.2.1

Trust: 0.3

vendor:timodel:ble-stackscope:eqversion:2.1.1

Trust: 0.3

vendor:timodel:ble-stackscope:eqversion:2.1

Trust: 0.3

vendor:timodel:ble-stackscope:eqversion:2.0

Trust: 0.3

vendor:timodel:ble-stackscope:eqversion:1.4.1

Trust: 0.3

vendor:timodel:ble-stackscope:eqversion:1.4

Trust: 0.3

vendor:ciscomodel:meraki mr74scope:eqversion:0

Trust: 0.3

vendor:ciscomodel:meraki mr53escope:eqversion:0

Trust: 0.3

vendor:ciscomodel:meraki mr42escope:eqversion:0

Trust: 0.3

vendor:ciscomodel:meraki mr33scope:eqversion:0

Trust: 0.3

vendor:ciscomodel:meraki mr30hscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:aironetscope:eqversion:4800

Trust: 0.3

vendor:ciscomodel:aironet 1815mscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:aironet 1815iscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:aironetscope:eqversion:18100

Trust: 0.3

vendor:ciscomodel:aironet 1800iscope:eqversion:0

Trust: 0.3

vendor:ciscomodel:aironetscope:eqversion:15400

Trust: 0.3

vendor:timodel:simplelink cc2640r2 sdkscope:neversion:1.30.00.25

Trust: 0.3

vendor:timodel:simplelink cc13x0 sdkscope:neversion:2.30.00.20

Trust: 0.3

vendor:timodel:ble-stackscope:neversion:3.0.1

Trust: 0.3

vendor:timodel:ble-stackscope:neversion:2.3.4

Trust: 0.3

vendor:timodel:ble-stackscope:neversion:2.2.2

Trust: 0.3

sources: CERT/CC: VU#317277 // BID: 105812 // JVNDB: JVNDB-2018-008978 // NVD: CVE-2018-16986

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-16986
value: HIGH

Trust: 1.0

CNNVD: CNNVD-201811-025
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2018-16986
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 6.5
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

nvd@nist.gov: CVE-2018-16986
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: CNNVD: CNNVD-201811-025 // NVD: CVE-2018-16986

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.0

problemtype:CWE-119

Trust: 0.8

sources: JVNDB: JVNDB-2018-008978 // NVD: CVE-2018-16986

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201811-025

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201811-025

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-008978

PATCH
title: Aruba BLE Radio Firmware Vulnerability  url:https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-006.txt
Trust: 0.8
title:BLE-Stack 2.2.2url:http://software-dl.ti.com/lprf/ble_stack/exports/release_notes_BLE_Stack_2_2_2.html
Trust: 0.8
title:Texas Instruments CC2640  and CC2650 Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=86570
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-008978 // 
            
            
            
            CNNVD: CNNVD-201811-025

EXTERNAL IDS
db:CERT/CCid:VU#317277
Trust: 3.5
db:NVDid:CVE-2018-16986
Trust: 2.8
db:BIDid:105812
Trust: 1.9
db:SECTRACKid:1042018
Trust: 1.6
db:JVNid:JVNVU98767431
Trust: 0.8
db:JVNDBid:JVNDB-2018-008978
Trust: 0.8
db:AUSCERTid:ESB-2019.1300
Trust: 0.6
db:CNNVDid:CNNVD-201811-025
Trust: 0.6
db:OTHERid:NONE
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#317277 // 
            
            
            
            BID: 105812 // 
            
            
            
            JVNDB: JVNDB-2018-008978 // 
            
            
            
            CNNVD: CNNVD-201811-025 // 
            
            
            
            NVD: CVE-2018-16986

REFERENCES
url:https://armis.com/bleedingbit/
Trust: 3.5
url:https://www.kb.cert.org/vuls/id/317277
Trust: 2.7
url:https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20181101-ap
Trust: 1.9
url:http://www.securityfocus.com/bid/105812
Trust: 1.6
url:http://www.securitytracker.com/id/1042018
Trust: 1.6
url:http://e2e.ti.com/support/wireless-connectivity/bluetooth/f/538/t/742827
Trust: 1.6
url:http://software-dl.ti.com/lprf/ble_stack/exports/release_notes_ble_stack_2_2_2.html
Trust: 1.1
url:https://cwe.mitre.org/data/definitions/119.html
Trust: 0.8
url:https://www.arubanetworks.com/assets/alert/aruba-psa-2018-006.txt
Trust: 0.8
url:http://dev.ti.com/tirex/content/simplelink_cc2640r2_sdk_2_30_00_28/docs/blestack/ble_user_guide/html/ble3-stack-oad/index-ble3-cc2640.html
Trust: 0.8
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-16986
Trust: 0.8
url:https://jvn.jp/vu/jvnvu98767431/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-16986
Trust: 0.8
url:https://fortiguard.com/psirt/fg-ir-18-356
Trust: 0.6
url:https://www.auscert.org.au/bulletins/79126
Trust: 0.6
url:http://www.ti.com/
Trust: 0.3
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#317277 // 
            
            
            
            BID: 105812 // 
            
            
            
            JVNDB: JVNDB-2018-008978 // 
            
            
            
            CNNVD: CNNVD-201811-025 // 
            
            
            
            NVD: CVE-2018-16986

CREDITS
Cisco would like to thank Ben Seri, for finding and reporting this vulnerability., VP of Research at Armis
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201811-025

SOURCES
db:OTHERid: - 
db:CERT/CCid:VU#317277
db:BIDid:105812
db:JVNDBid:JVNDB-2018-008978
db:CNNVDid:CNNVD-201811-025
db:NVDid:CVE-2018-16986

LAST UPDATE DATE
2025-01-30T21:06:31.758000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#317277date:2019-01-07T00:00:00
db:BIDid:105812date:2018-11-01T00:00:00
db:JVNDBid:JVNDB-2018-008978date:2019-07-25T00:00:00
db:CNNVDid:CNNVD-201811-025date:2021-07-09T00:00:00
db:NVDid:CVE-2018-16986date:2024-11-21T03:53:39.360

SOURCES RELEASE DATE
db:CERT/CCid:VU#317277date:2018-11-01T00:00:00
db:BIDid:105812date:2018-11-01T00:00:00
db:JVNDBid:JVNDB-2018-008978date:2018-11-05T00:00:00
db:CNNVDid:CNNVD-201811-025date:2018-11-02T00:00:00
db:NVDid:CVE-2018-16986date:2018-11-06T15:29:00.327