Recently, CISA added four vulnerabilities for Owl Labs Meeting Owl devices to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities are exploitable via Bluetooth Low Energy (BLE). This means an attacker would need to be physically near the device in order to exploit it.
On September 18, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added eight vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including four vulnerabilities for Owl Labs Meeting Owl.
CVE |
Description |
CVSSv3 |
CVE-2022-31459 |
Owl Labs Meeting Owl Inadequate Encryption Strength Vulnerability |
7.4 |
CVE-2022-31461 |
Owl Labs Meeting Owl Missing Authentication for Critical Function Vulnerability |
7.4 |
CVE-2022-31462 |
Owl Labs Meeting Owl Use of Hard-coded Credentials Vulnerability |
9.3 |
CVE-2022-31463 |
Owl Labs Meeting Owl Improper Authentication Vulnerability |
8.2 |
The CVSS vectors for these vulnerabilities indicate the Attack Vector component is “Adjacent.” These four vulnerabilities are exploitable via Bluetooth Low Energy (BLE). This means an attacker would need to be physically near the device in order to exploit it. This is unusual for KEV entries.
CISA posted a blog on September 18 detailing how it prioritizes additions to the KEV catalog. It cites three criteria:
The first and the third are fairly straightforward. For the second, the CISA blog notes that its “analysts need evidence that threat actors are actively exploiting the vulnerability in the wild. This evidence needs to be from a credible source — a known industry partner, a trusted security researcher, or a government partner.”
(Image source: Owl Labs, Sept. 22, 2022)
The vulnerabilities were identified by modzero on June 3, 2022 and affect the Meeting Owl device itself. Specifically, versions up to 5.4.2.3 are:
As you can see, these vulnerabilities all require an attacker to be within BLE distance of a device. Owl Labs documentation mentions that all of its devices are Bluetooth Class 1, which has an effective range of 330 feet. So, the distance within which these can be exploited may be substantial.
Interestingly, these vulnerabilities were discovered over a year ago. In fact, CISA added one of them to KEV at that time.
Date |
CVEs |
Event |
6/3/2022 |
CVE-2022-31459 CVE-2022-31460 CVE-2022-31461 CVE-2022-31462 CVE-2022-31463 |
Modzero publishes Owl Labs Meeting Owl report disclosing vulnerabilities |
6/3/2022 |
N/A |
Owl Labs updates its cloud applications to remediate modzero’s findings |
6/6/2022 |
CVE-2022-31460 |
Owl Labs releases firmware version 5.4.1.4 for Meeting Owl which remediates CVE-2022-31460, disabling WiFi bridging |
6/8/2022 |
CVE-2022-31460 |
CISA adds CVE-2022-31460 to KEV |
6/23/2022 |
CVE-2022-31459 CVE-2022-31461 CVE-2022-31462 CVE-2022-31463 |
Owl Labs releases firmware version 5.4.2.3 for Meeting Owl which remediates CVE-2022-31459, CVE-2022-31461, CVE-2022-31462 and CVE-2022-31463 |
9/18/2023 |
CVE-2022-31459 CVE-2022-31461 CVE-2022-31462 CVE-2022-31463 |
CISA adds CVE-2022-31459, CVE-2022-31461, CVE-2022-31462 and CVE-2022-31463 to KEV |
Since exploitation necessitates a device that is near the Meeting Owl, we can assume two paths: a malicious actor sitting nearby or a compromised device in the same vicinity. The first scenario is risky for the threat actor, but at a projected range of 330 feet, a parking lot or sidewalk below an office building could provide cover. A compromised device may be more likely. Laptops and cell phones are often compromised and often accompany people to meetings.
An attacker with full control of a network-connected device (e.g., laptop / cell phone) can easily exploit TCP/IP vulnerabilities, but exploiting BLE vulnerabilities is not as trivial. Traditional TCP/IP vulnerabilities can usually be exploited with commonly used tools already on the compromised device. Netcat, builtin bash functions, curl, Powershell’s Invoke-WebRequest, and more can all easily be used on a compromised computer to exploit a remote IP-based vulnerability. Attackers could use BLE enumeration apps or install command-line tools like hcitool or gatttool to dive deeper into BLE exploration, but these are not installed by default on most laptops or mobile devices. So, malware wanting to exploit BLE vulnerabilities in a remote device would need to include such capabilities or an attacker would need to write some code to use BLE APIs exposed on the compromised device. These vary across operating systems and architectures.
While CISA indicates it must have credible evidence that exploitation occurred before adding vulnerabilities to KEV, I’m not currently aware of any BLE vulnerabilities actually exploited in the wild. I’m also not aware of any malware that contains Bluetooth or BLE functionality. Evidence would probably look like either logs from the device or a sample of the malware with this capability. If this is true, it likely marks the first time we have such evidence of exploitation of BLE vulnerabilities.
These vulnerabilities are interesting and may mark the first time there’s evidence of BLE device exploitation in the wild. Their appearance on KEV should also prompt the review of the security of devices in sensitive locations like meeting rooms.
Ben joined Tenable in 2015 to pull apart packets for Nessus Network Monitor. Since then he’s donned many hats, working on products, plugins and content. Most recently, Ben has found a home providing vulnerability research and coverage via Nessus plugins. Prior to Tenable, Ben spent years as a customer, working on all aspects of vulnerability management and defending networks.
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
Formerly Tenable.io
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
FREE FOR 7 DAYS
Tenable Nessus is the most comprehensive vulnerability scanner on the market today.
Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.
Fill out the form below to continue with a Nessus Pro Trial.
Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.
Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.
Your Tenable Vulnerability Management trial also includes Tenable Lumin, Tenable Web App Scanning and Tenable Cloud Security.
BUY
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
65 assets
Choose Your Subscription Option:
Thank you for your interest in Tenable.io. A representative will be in touch soon.
Formerly Tenable.io Web Application Scanning
Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.
Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Cloud Security.
Formerly Tenable.io Web Application Scanning
Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.
Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.
Your Tenable Lumin trial also includes Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Cloud Security.
Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.
Thank you for your interest in Tenable Lumin. A representative will be in touch soon.
Formerly Tenable.sc
Please fill out this form with your contact information.
A sales representative will contact you shortly to schedule a demo.
* Field is required
Formerly Tenable.ot
Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.
Formerly Tenable.ad
Continuously detect and respond to Active Directory attacks. No agents. No privileges.
On-prem and in the cloud.
Formerly Tenable.cs
Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.
Your Tenable Cloud Security trial also includes Tenable Vulnerability Management, Tenable Lumin and Tenable Web App Scanning.
Contact a Sales Representative to learn more about Tenable Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.
Thank you for your interest in Tenable.cs. A representative will be in touch soon.
Exposure management for the modern attack surface.
Formerly Tenable.asm
Know the exposure of every asset on any platform.
Thank you for your interest in Tenable Attack Surface Management. A representative will be in touch soon.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
FREE FOR 7 DAYS
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.
Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.
Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.