Vulnerabilites related to espressif - esp-idf
CVE-2019-15894 (GCVE-0-2019-15894)
Vulnerability from cvelistv5
Published
2019-10-07 15:54
Modified
2024-08-05 01:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.6, 3.2.x through 3.2.3, and 3.3.x through 3.3.1. An attacker who uses fault injection to physically disrupt the ESP32 CPU can bypass the Secure Boot digest verification at startup, and boot unverified code from flash. The fault injection attack does not disable the Flash Encryption feature, so if the ESP32 is configured with the recommended combination of Secure Boot and Flash Encryption, then the impact is minimized. If the ESP32 is configured without Flash Encryption then successful fault injection allows arbitrary code execution. To protect devices with Flash Encryption and Secure Boot enabled against this attack, a firmware change must be made to permanently enable Flash Encryption in the field if it is not already permanently enabled.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:03:32.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.6, 3.2.x through 3.2.3, and 3.3.x through 3.3.1. An attacker who uses fault injection to physically disrupt the ESP32 CPU can bypass the Secure Boot digest verification at startup, and boot unverified code from flash. The fault injection attack does not disable the Flash Encryption feature, so if the ESP32 is configured with the recommended combination of Secure Boot and Flash Encryption, then the impact is minimized. If the ESP32 is configured without Flash Encryption then successful fault injection allows arbitrary code execution. To protect devices with Flash Encryption and Secure Boot enabled against this attack, a firmware change must be made to permanently enable Flash Encryption in the field if it is not already permanently enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-10-07T15:54:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-15894",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.6, 3.2.x through 3.2.3, and 3.3.x through 3.3.1. An attacker who uses fault injection to physically disrupt the ESP32 CPU can bypass the Secure Boot digest verification at startup, and boot unverified code from flash. The fault injection attack does not disable the Flash Encryption feature, so if the ESP32 is configured with the recommended combination of Secure Boot and Flash Encryption, then the impact is minimized. If the ESP32 is configured without Flash Encryption then successful fault injection allows arbitrary code execution. To protect devices with Flash Encryption and Secure Boot enabled against this attack, a firmware change must be made to permanently enable Flash Encryption in the field if it is not already permanently enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot",
"refsource": "CONFIRM",
"url": "https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-15894",
"datePublished": "2019-10-07T15:54:40",
"dateReserved": "2019-09-03T00:00:00",
"dateUpdated": "2024-08-05T01:03:32.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28139 (GCVE-0-2021-28139)
Vulnerability from cvelistv5
Published
2021-09-07 06:27
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T06:27:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28139",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf",
"refsource": "MISC",
"url": "https://github.com/espressif/esp-idf"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"name": "https://www.espressif.com/en/products/socs/esp32",
"refsource": "MISC",
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"name": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf",
"refsource": "MISC",
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28139",
"datePublished": "2021-09-07T06:27:53",
"dateReserved": "2021-03-11T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28136 (GCVE-0-2021-28136)
Vulnerability from cvelistv5
Published
2021-09-07 05:52
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T05:52:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28136",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf",
"refsource": "MISC",
"url": "https://github.com/espressif/esp-idf"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"name": "https://www.espressif.com/en/products/socs/esp32",
"refsource": "MISC",
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"name": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf",
"refsource": "MISC",
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28136",
"datePublished": "2021-09-07T05:52:46",
"dateReserved": "2021-03-11T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.448Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16146 (GCVE-0-2020-16146)
Vulnerability from cvelistv5
Published
2021-01-12 02:56
Modified
2024-08-04 13:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.7, 3.2.x through 3.2.3, 3.3.x through 3.3.2, and 4.0.x through 4.0.1 has a Buffer Overflow in BluFi provisioning in btc_blufi_recv_handler function in blufi_prf.c. An attacker can send a crafted BluFi protocol Write Attribute command to characteristic 0xFF01. With manipulated packet fields, there is a buffer overflow.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:53.848Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/CVE-2020-16146.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.7, 3.2.x through 3.2.3, 3.3.x through 3.3.2, and 4.0.x through 4.0.1 has a Buffer Overflow in BluFi provisioning in btc_blufi_recv_handler function in blufi_prf.c. An attacker can send a crafted BluFi protocol Write Attribute command to characteristic 0xFF01. With manipulated packet fields, there is a buffer overflow."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-12T02:56:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/CVE-2020-16146.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-16146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.7, 3.2.x through 3.2.3, 3.3.x through 3.3.2, and 4.0.x through 4.0.1 has a Buffer Overflow in BluFi provisioning in btc_blufi_recv_handler function in blufi_prf.c. An attacker can send a crafted BluFi protocol Write Attribute command to characteristic 0xFF01. With manipulated packet fields, there is a buffer overflow."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf",
"refsource": "MISC",
"url": "https://github.com/espressif/esp-idf"
},
{
"name": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/CVE-2020-16146.md",
"refsource": "MISC",
"url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/CVE-2020-16146.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-16146",
"datePublished": "2021-01-12T02:56:11",
"dateReserved": "2020-07-30T00:00:00",
"dateUpdated": "2024-08-04T13:37:53.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12586 (GCVE-0-2019-12586)
Vulnerability from cvelistv5
Published
2019-09-04 20:00
Modified
2024-08-04 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted message.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:24:38.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-04T20:00:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12586",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif",
"refsource": "MISC",
"url": "https://github.com/espressif"
},
{
"name": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks",
"refsource": "MISC",
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"name": "https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/",
"refsource": "MISC",
"url": "https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12586",
"datePublished": "2019-09-04T20:00:45",
"dateReserved": "2019-06-02T00:00:00",
"dateUpdated": "2024-08-04T23:24:38.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53406 (GCVE-0-2024-53406)
Vulnerability from cvelistv5
Published
2025-03-13 00:00
Modified
2025-03-19 18:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-53406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-19T17:08:50.323042Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-19T18:42:46.005Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T17:08:04.530Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/espressif/esp-idf"
},
{
"url": "https://github.com/yangting111/BLE_TEST/blob/main/result/PoC/Esp/sk_reuse.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-53406",
"datePublished": "2025-03-13T00:00:00.000Z",
"dateReserved": "2024-11-20T00:00:00.000Z",
"dateUpdated": "2025-03-19T18:42:46.005Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24893 (GCVE-0-2022-24893)
Vulnerability from cvelistv5
Published
2022-06-25 06:55
Modified
2025-04-23 18:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system. Patch commits are available on the 4.1, 4.2, 4.3 and 4.4 branches and users are recommended to upgrade. The upgrade is applicable for all applications and users of `ESP-BLE-MESH` component from `ESP-IDF`. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:01.409Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-7f7f-jj2q-28wm"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:52:12.850200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:09:01.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003c 4.1.4"
},
{
"status": "affected",
"version": "\u003e 4.2.0, \u003c 4.2.4"
},
{
"status": "affected",
"version": "\u003e 4.3.2, \u003c 4.3.3"
},
{
"status": "affected",
"version": "\u003e 4.4.1, \u003c 4.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESP-IDF is the official development framework for Espressif SoCs. In Espressif\u2019s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system. Patch commits are available on the 4.1, 4.2, 4.3 and 4.4 branches and users are recommended to upgrade. The upgrade is applicable for all applications and users of `ESP-BLE-MESH` component from `ESP-IDF`. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-788",
"description": "CWE-788: Access of Memory Location After End of Buffer",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-25T06:55:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-7f7f-jj2q-28wm"
}
],
"source": {
"advisory": "GHSA-7f7f-jj2q-28wm",
"discovery": "UNKNOWN"
},
"title": "Espressif Bluetooth Mesh Stack Vulnerable to Out-of-bounds Write leading to memory buffer corruption",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24893",
"STATE": "PUBLIC",
"TITLE": "Espressif Bluetooth Mesh Stack Vulnerable to Out-of-bounds Write leading to memory buffer corruption"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "esp-idf",
"version": {
"version_data": [
{
"version_value": "\u003c 4.1.4"
},
{
"version_value": "\u003e 4.2.0, \u003c 4.2.4"
},
{
"version_value": "\u003e 4.3.2, \u003c 4.3.3"
},
{
"version_value": "\u003e 4.4.1, \u003c 4.4.2"
}
]
}
}
]
},
"vendor_name": "espressif"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ESP-IDF is the official development framework for Espressif SoCs. In Espressif\u2019s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system. Patch commits are available on the 4.1, 4.2, 4.3 and 4.4 branches and users are recommended to upgrade. The upgrade is applicable for all applications and users of `ESP-BLE-MESH` component from `ESP-IDF`. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-787: Out-of-bounds Write"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-788: Access of Memory Location After End of Buffer"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-7f7f-jj2q-28wm",
"refsource": "CONFIRM",
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-7f7f-jj2q-28wm"
}
]
},
"source": {
"advisory": "GHSA-7f7f-jj2q-28wm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24893",
"datePublished": "2022-06-25T06:55:09.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:09:01.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13595 (GCVE-0-2020-13595)
Vulnerability from cvelistv5
Published
2020-08-31 14:59
Modified
2024-08-04 12:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target's BLE stack) by sending a crafted sequence of BLE packets.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target\u0027s BLE stack) by sending a crafted sequence of BLE packets."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-31T14:59:57",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13595",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target\u0027s BLE stack) by sending a crafted sequence of BLE packets."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://asset-group.github.io/disclosures/sweyntooth/",
"refsource": "MISC",
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"name": "https://asset-group.github.io/cves.html",
"refsource": "MISC",
"url": "https://asset-group.github.io/cves.html"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13595",
"datePublished": "2020-08-31T14:59:57",
"dateReserved": "2020-05-26T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28135 (GCVE-0-2021-28135)
Vulnerability from cvelistv5
Published
2021-09-07 05:56
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP Feature Response data.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.612Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP Feature Response data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T05:56:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-28135",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP Feature Response data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf",
"refsource": "MISC",
"url": "https://github.com/espressif/esp-idf"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"name": "https://www.espressif.com/en/products/socs/esp32",
"refsource": "MISC",
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"name": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf",
"refsource": "MISC",
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-28135",
"datePublished": "2021-09-07T05:56:29",
"dateReserved": "2021-03-11T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-18558 (GCVE-0-2018-18558)
Vulnerability from cvelistv5
Published
2019-05-13 12:49
Modified
2024-08-05 11:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:15:58.936Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-13T12:49:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-18558",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf/releases",
"refsource": "MISC",
"url": "https://github.com/espressif/esp-idf/releases"
},
{
"name": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_(CVE-2018-18558)",
"refsource": "MISC",
"url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_(CVE-2018-18558)"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-18558",
"datePublished": "2019-05-13T12:49:59",
"dateReserved": "2018-10-22T00:00:00",
"dateUpdated": "2024-08-05T11:15:58.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28183 (GCVE-0-2024-28183)
Vulnerability from cvelistv5
Published
2024-03-25 14:31
Modified
2024-08-02 00:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
Summary
ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip. This attack can allow to boot past (passive) application partition having lower security version of the same device even in the presence of the flash encryption scheme. The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (before loading the application). The vulnerability is fixed in 4.4.7 and 5.2.1.
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-28183",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-25T19:26:58.289614Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:03:55.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:48:49.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-22x6-3756-pfp8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-22x6-3756-pfp8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3305cb4d235182067936f8e940e6db174e25b4b2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/commit/3305cb4d235182067936f8e940e6db174e25b4b2"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4c95aa445d4e84f01f86b6f3a552aa299276abf3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/commit/4c95aa445d4e84f01f86b6f3a552aa299276abf3"
},
{
"name": "https://github.com/espressif/esp-idf/commit/534e3ad1fa68526a5f989fb2163856d6b7cd2c87",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/commit/534e3ad1fa68526a5f989fb2163856d6b7cd2c87"
},
{
"name": "https://github.com/espressif/esp-idf/commit/7003f1ef0dffc73c34eb153d1b0710babb078149",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/commit/7003f1ef0dffc73c34eb153d1b0710babb078149"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b2cdc0678965790f49afeb6e6b0737cd24433a05",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/commit/b2cdc0678965790f49afeb6e6b0737cd24433a05"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c33b9e1426121ce8cccf1a94241740be9cff68de",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/commit/c33b9e1426121ce8cccf1a94241740be9cff68de"
},
{
"name": "https://github.com/espressif/esp-idf/commit/f327ddf6adab0c28d395975785727b2feef57803",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf/commit/f327ddf6adab0c28d395975785727b2feef57803"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.7"
},
{
"status": "affected",
"version": "\u003e= 5.0, \u003c= 5.0.6"
},
{
"status": "affected",
"version": "\u003e= 5.1, \u003c= 5.1.3"
},
{
"status": "affected",
"version": "\u003e= 5.2, \u003c 5.2.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip. This attack can allow to boot past (passive) application partition having lower security version of the same device even in the presence of the flash encryption scheme. The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (before loading the application). The vulnerability is fixed in 4.4.7 and 5.2.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-367",
"description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-25T14:31:28.466Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-22x6-3756-pfp8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-22x6-3756-pfp8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3305cb4d235182067936f8e940e6db174e25b4b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/3305cb4d235182067936f8e940e6db174e25b4b2"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4c95aa445d4e84f01f86b6f3a552aa299276abf3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4c95aa445d4e84f01f86b6f3a552aa299276abf3"
},
{
"name": "https://github.com/espressif/esp-idf/commit/534e3ad1fa68526a5f989fb2163856d6b7cd2c87",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/534e3ad1fa68526a5f989fb2163856d6b7cd2c87"
},
{
"name": "https://github.com/espressif/esp-idf/commit/7003f1ef0dffc73c34eb153d1b0710babb078149",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/7003f1ef0dffc73c34eb153d1b0710babb078149"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b2cdc0678965790f49afeb6e6b0737cd24433a05",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b2cdc0678965790f49afeb6e6b0737cd24433a05"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c33b9e1426121ce8cccf1a94241740be9cff68de",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/c33b9e1426121ce8cccf1a94241740be9cff68de"
},
{
"name": "https://github.com/espressif/esp-idf/commit/f327ddf6adab0c28d395975785727b2feef57803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/f327ddf6adab0c28d395975785727b2feef57803"
}
],
"source": {
"advisory": "GHSA-22x6-3756-pfp8",
"discovery": "UNKNOWN"
},
"title": "Anti Rollback bypass with physical access and TOCTOU attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-28183",
"datePublished": "2024-03-25T14:31:28.466Z",
"dateReserved": "2024-03-06T17:35:00.857Z",
"dateUpdated": "2024-08-02T00:48:49.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-53845 (GCVE-0-2024-53845)
Vulnerability from cvelistv5
Published
2024-12-11 22:35
Modified
2024-12-12 16:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product's lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.
References
| ► | URL | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-53845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-12T16:34:50.853994Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-12T16:35:00.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.3.0, \u003c 5.3.2"
},
{
"status": "affected",
"version": "\u003e= 5.2.0, \u003c 5.2.4"
},
{
"status": "affected",
"version": "\u003e= 5.1.0, \u003c 5.1.6"
},
{
"status": "affected",
"version": "\u003c 5.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product\u0027s lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "CWE-327: Use of a Broken or Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-909",
"description": "CWE-909: Missing Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-11T22:35:48.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4f85a2726e04b737c8646d865b44ddd837b703db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4f85a2726e04b737c8646d865b44ddd837b703db"
},
{
"name": "https://github.com/espressif/esp-idf/commit/8fb28dcedcc49916a5206456a3a61022d4302cd8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/8fb28dcedcc49916a5206456a3a61022d4302cd8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d47ed7d6f814e21c5bc8997ab0bc68e2360e5cb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d47ed7d6f814e21c5bc8997ab0bc68e2360e5cb2"
},
{
"name": "https://github.com/espressif/esp-idf/commit/de69895f38d563e22228f5ba23fffa02feabc3a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/de69895f38d563e22228f5ba23fffa02feabc3a9"
},
{
"name": "https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7"
},
{
"name": "https://github.com/EspressifApp/EsptouchForAndroid/tree/master/esptouch-v2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EspressifApp/EsptouchForAndroid/tree/master/esptouch-v2"
},
{
"name": "https://github.com/EspressifApp/EsptouchForIOS/tree/master/EspTouchDemo/ESPTouchV2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/EspressifApp/EsptouchForIOS/tree/master/EspTouchDemo/ESPTouchV2"
},
{
"name": "https://github.com/espressif/esp-idf/tree/master/components/esp_wifi",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/tree/master/components/esp_wifi"
}
],
"source": {
"advisory": "GHSA-wm57-466g-mhrr",
"discovery": "UNKNOWN"
},
"title": "AES/CBC Constant IV Vulnerability in ESPTouch v2"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-53845",
"datePublished": "2024-12-11T22:35:48.528Z",
"dateReserved": "2024-11-22T17:30:02.139Z",
"dateUpdated": "2024-12-12T16:35:00.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55297 (GCVE-0-2025-55297)
Vulnerability from cvelistv5
Published
2025-08-21 15:05
Modified
2025-08-21 15:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.9"
},
{
"status": "affected",
"version": "\u003e= 5.1-beta1, \u003c 5.1.6"
},
{
"status": "affected",
"version": "\u003e= 5.2-beta1, \u003c 5.3.3"
},
{
"status": "affected",
"version": "\u003e= 5.4-beta1, \u003c 5.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie\u2013Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "ADJACENT",
"baseScore": 5.2,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "CWE-131: Incorrect Calculation of Buffer Size",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T15:05:06.805Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9w88-r2vm-qfc4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9w88-r2vm-qfc4"
},
{
"name": "https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345"
},
{
"name": "https://github.com/espressif/esp-idf/commit/3fc6c93936077cb1659e1f0e0268e62cf6423e9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/3fc6c93936077cb1659e1f0e0268e62cf6423e9d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/5f93ec3b11b6115475c34de57093b3672d594e8f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/5f93ec3b11b6115475c34de57093b3672d594e8f"
},
{
"name": "https://github.com/espressif/esp-idf/commit/9cb7206d4ae8fd8f4296cd57d6c78a1656f42efa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/9cb7206d4ae8fd8f4296cd57d6c78a1656f42efa"
},
{
"name": "https://github.com/espressif/esp-idf/commit/abc18e93eb3500dbec74c3e589671ef82c8b3919",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/abc18e93eb3500dbec74c3e589671ef82c8b3919"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84"
},
{
"name": "https://github.com/espressif/esp-idf/commit/bf50c0c197af30990026c8f8286298d2aa5a3c99",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/bf50c0c197af30990026c8f8286298d2aa5a3c99"
},
{
"name": "https://github.com/espressif/esp-idf/commit/cb6929a2e6f2ff130b742332dc15eb23006c7cc9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/cb6929a2e6f2ff130b742332dc15eb23006c7cc9"
},
{
"name": "https://github.com/espressif/esp-idf/commit/cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501"
},
{
"name": "https://github.com/espressif/esp-idf/commit/e65cf7ea2a2be52219ec9d4efc44aed5e490e91c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/e65cf7ea2a2be52219ec9d4efc44aed5e490e91c"
},
{
"name": "https://github.com/espressif/esp-idf/commit/f40aa9c587a8e570dfde2e6330382dcd170d5a5d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/f40aa9c587a8e570dfde2e6330382dcd170d5a5d"
},
{
"name": "https://github.com/espressif/esp-idf/commit/f77da0d5b5382635c99e6708551b73802ad1213d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/f77da0d5b5382635c99e6708551b73802ad1213d"
}
],
"source": {
"advisory": "GHSA-9w88-r2vm-qfc4",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF BluFi Example Memory Overflow Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55297",
"datePublished": "2025-08-21T15:05:06.805Z",
"dateReserved": "2025-08-12T16:15:30.238Z",
"dateUpdated": "2025-08-21T15:05:06.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13594 (GCVE-0-2020-13594)
Vulnerability from cvelistv5
Published
2020-08-31 14:58
Modified
2024-08-04 12:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:25:16.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-31T14:58:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13594",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://asset-group.github.io/disclosures/sweyntooth/",
"refsource": "MISC",
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"name": "https://asset-group.github.io/cves.html",
"refsource": "MISC",
"url": "https://asset-group.github.io/cves.html"
},
{
"name": "https://github.com/espressif/esp32-bt-lib",
"refsource": "MISC",
"url": "https://github.com/espressif/esp32-bt-lib"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13594",
"datePublished": "2020-08-31T14:58:25",
"dateReserved": "2020-05-26T00:00:00",
"dateUpdated": "2024-08-04T12:25:16.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12587 (GCVE-0-2019-12587)
Vulnerability from cvelistv5
Published
2019-09-04 11:31
Modified
2024-08-04 23:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames via a rogue access point.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:24:38.689Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://matheus-garbelini.github.io/home/post/zero-pmk-installation/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames via a rogue access point."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-04T11:31:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://matheus-garbelini.github.io/home/post/zero-pmk-installation/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12587",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames via a rogue access point."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif",
"refsource": "MISC",
"url": "https://github.com/espressif"
},
{
"name": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks",
"refsource": "MISC",
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"name": "https://matheus-garbelini.github.io/home/post/zero-pmk-installation/",
"refsource": "MISC",
"url": "https://matheus-garbelini.github.io/home/post/zero-pmk-installation/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12587",
"datePublished": "2019-09-04T11:31:48",
"dateReserved": "2019-06-02T00:00:00",
"dateUpdated": "2024-08-04T23:24:38.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-52471 (GCVE-0-2025-52471)
Vulnerability from cvelistv5
Published
2025-06-24 19:53
Modified
2025-06-24 20:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-191 - Integer Underflow (Wrap or Wraparound)
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-24T20:02:03.737707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T20:02:18.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "= 5.4.1"
},
{
"status": "affected",
"version": "= 5.3.3"
},
{
"status": "affected",
"version": "= 5.2.5"
},
{
"status": "affected",
"version": "= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-24T19:53:06.066Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-hqhh-cp47-fv5g"
},
{
"name": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/b1a379d57430d265a53aca13d59ddfbf2e7ac409"
},
{
"name": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/c5fc81917805f99e687c81cc56b68dc5df7ef8b5"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d4dafbdc3572387cd4f9a62b776580bc4ac3bde7"
},
{
"name": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/d6ec5a52255b17c1d6ef379e89f9de2c379042f8"
},
{
"name": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/df7757d8279871fa7a2f42ef3962c6c1ec88b8a2"
},
{
"name": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/edc227c5eaeced999b5212943a9434379f8aad80"
}
],
"source": {
"advisory": "GHSA-hqhh-cp47-fv5g",
"discovery": "UNKNOWN"
},
"title": "ESP-NOW Integer Underflow Vulnerability Advisory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-52471",
"datePublished": "2025-06-24T19:53:06.066Z",
"dateReserved": "2025-06-17T02:28:39.716Z",
"dateUpdated": "2025-06-24T20:02:18.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12638 (GCVE-0-2020-12638)
Vulnerability from cvelistv5
Published
2020-07-23 15:41
Modified
2024-08-04 12:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11 encryption.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:04:22.314Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/ESP8266_NONOS_SDK"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/espressif/ESP8266_RTOS_SDK"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11 encryption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-23T15:41:58",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/ESP8266_NONOS_SDK"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/ESP8266_RTOS_SDK"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12638",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11 encryption."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/espressif/esp-idf",
"refsource": "MISC",
"url": "https://github.com/espressif/esp-idf"
},
{
"name": "https://github.com/espressif/ESP8266_NONOS_SDK",
"refsource": "MISC",
"url": "https://github.com/espressif/ESP8266_NONOS_SDK"
},
{
"name": "https://github.com/espressif/ESP8266_RTOS_SDK",
"refsource": "MISC",
"url": "https://github.com/espressif/ESP8266_RTOS_SDK"
},
{
"name": "https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors",
"refsource": "MISC",
"url": "https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12638",
"datePublished": "2020-07-23T15:41:58",
"dateReserved": "2020-05-04T00:00:00",
"dateUpdated": "2024-08-04T12:04:22.314Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2022-06-25 07:15
Modified
2024-11-21 06:51
Severity ?
7.5 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system. Patch commits are available on the 4.1, 4.2, 4.3 and 4.4 branches and users are recommended to upgrade. The upgrade is applicable for all applications and users of `ESP-BLE-MESH` component from `ESP-IDF`. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/espressif/esp-idf/security/advisories/GHSA-7f7f-jj2q-28wm | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf/security/advisories/GHSA-7f7f-jj2q-28wm | Patch, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:4.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F47D8F2-D988-4FB8-A207-1FC50A847A05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:4.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2A623086-6DB4-485C-9CCE-C67357E84258",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:4.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E9AB5D52-4B51-4436-BAD4-82906CD7F9CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:4.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2E24FD68-7908-4C0F-BD6B-8641992870F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ESP-IDF is the official development framework for Espressif SoCs. In Espressif\u2019s Bluetooth Mesh SDK (`ESP-BLE-MESH`), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the `SegN` field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system. Patch commits are available on the 4.1, 4.2, 4.3 and 4.4 branches and users are recommended to upgrade. The upgrade is applicable for all applications and users of `ESP-BLE-MESH` component from `ESP-IDF`. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware."
},
{
"lang": "es",
"value": "ESP-IDF es el marco de desarrollo oficial de los SoC de Espressif. En el SDK de malla Bluetooth de Espressif (\"ESP-BLE-MESH\"), puede desencadenarse una vulnerabilidad de corrupci\u00f3n de memoria durante el aprovisionamiento, debido a que no es comprobado el campo \"SegN\" de la PDU de inicio de transacci\u00f3n. Esto puede resultar en ataques relacionados con la corrupci\u00f3n de la memoria y, potencialmente, a que un atacante obtenga el control de todo el sistema. Los parches est\u00e1n disponibles en las ramas 4.1, 4.2, 4.3 y 4.4 y es recomendado a usuarios actualizar. La actualizaci\u00f3n es aplicable a todas las aplicaciones y usuarios del componente \"ESP-BLE-MESH\" de \"ESP-IDF\". Como es implementado en la pila de Bluetooth Mesh, no se presenta ninguna mitigaci\u00f3n para que el usuario arregle la capa de la aplicaci\u00f3n sin actualizar el firmware subyacente"
}
],
"id": "CVE-2022-24893",
"lastModified": "2024-11-21T06:51:20.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-25T07:15:07.147",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-7f7f-jj2q-28wm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-7f7f-jj2q-28wm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
},
{
"lang": "en",
"value": "CWE-788"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-10-07 16:15
Modified
2024-11-21 04:29
Severity ?
Summary
An issue was discovered in Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.6, 3.2.x through 3.2.3, and 3.3.x through 3.3.1. An attacker who uses fault injection to physically disrupt the ESP32 CPU can bypass the Secure Boot digest verification at startup, and boot unverified code from flash. The fault injection attack does not disable the Flash Encryption feature, so if the ESP32 is configured with the recommended combination of Secure Boot and Flash Encryption, then the impact is minimized. If the ESP32 is configured without Flash Encryption then successful fault injection allows arbitrary code execution. To protect devices with Flash Encryption and Secure Boot enabled against this attack, a firmware change must be made to permanently enable Flash Encryption in the field if it is not already permanently enabled.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot | Mitigation, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0B9C04BA-1FC0-49A5-B89F-16014DA3D48B",
"versionEndExcluding": "3.0.9",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "73B68B98-07BA-468B-B11B-0A76527F7419",
"versionEndExcluding": "3.1.6",
"versionStartExcluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21A89350-58F6-4746-906C-54B36814AAB9",
"versionEndExcluding": "3.2.3",
"versionStartExcluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29E03576-DD87-4AB7-9291-E23972A9C9E6",
"versionEndExcluding": "3.3.1",
"versionStartIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.6, 3.2.x through 3.2.3, and 3.3.x through 3.3.1. An attacker who uses fault injection to physically disrupt the ESP32 CPU can bypass the Secure Boot digest verification at startup, and boot unverified code from flash. The fault injection attack does not disable the Flash Encryption feature, so if the ESP32 is configured with the recommended combination of Secure Boot and Flash Encryption, then the impact is minimized. If the ESP32 is configured without Flash Encryption then successful fault injection allows arbitrary code execution. To protect devices with Flash Encryption and Secure Boot enabled against this attack, a firmware change must be made to permanently enable Flash Encryption in the field if it is not already permanently enabled."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en Espressif ESP-IDF versiones 2.x, versiones 3.0.x hasta 3.0.9, versiones 3.1.x hasta 3.1.6, versiones 3.2.x hasta 3.2.3 y versiones 3.3.x hasta 3.3.1. Un atacante que utiliza la inyecci\u00f3n de un fallo para interrumpir f\u00edsicamente la CPU ESP32 puede omitir la comprobaci\u00f3n del resumen de Secure Boot en el inicio y arrancar el c\u00f3digo no comprobado desde la memoria flash. El ataque de inyecci\u00f3n de fallo no deshabilita la funci\u00f3n de cifrado de la Flash, por lo que si la ESP32 est\u00e1 configurada con la combinaci\u00f3n recomendada de Secure Boot y Flash Encryption, entonces el impacto es minimizado. Si el ESP32 est\u00e1 configurado sin Flash Encryption, entonces la inyecci\u00f3n de fallo con \u00e9xito permite la ejecuci\u00f3n de c\u00f3digo arbitrario. Para proteger los dispositivos con Flash Encryption y Secure Boot habilitados contra este ataque, un cambio de firmware se debe realizar para habilitar permanentemente la Flash Encryption en el campo si a\u00fan no est\u00e1 habilitado permanentemente."
}
],
"id": "CVE-2019-15894",
"lastModified": "2024-11-21T04:29:40.990",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.2,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-10-07T16:15:11.413",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-755"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-07 06:15
Modified
2024-11-21 05:59
Severity ?
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP Feature Response data.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Broken Link | |
| cve@mitre.org | https://github.com/espressif/esp-idf | Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Third Party Advisory | |
| cve@mitre.org | https://www.espressif.com/en/products/socs/esp32 | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.espressif.com/en/products/socs/esp32 | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFF8C3F9-F42A-48FF-ADBF-E09B7D7B5550",
"versionEndIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (crash) in ESP32 by flooding the target device with LMP Feature Response data."
},
{
"lang": "es",
"value": "Una implementaci\u00f3n de Bluetooth Classic en Espressif ESP-IDF versi\u00f3n 4.4 y anteriores, no maneja apropiadamente la recepci\u00f3n de respuestas LMP continuas no solicitadas, permitiendo a atacantes en el rango de radio desencadenar una denegaci\u00f3n de servicio (ca\u00edda) en ESP32 inundando el dispositivo de destino con datos de respuesta de caracter\u00edsticas LMP"
}
],
"id": "CVE-2021-28135",
"lastModified": "2024-11-21T05:59:09.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T06:15:07.230",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-07 07:15
Modified
2024-11-21 05:59
Severity ?
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp-idf | Product, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Product, Third Party Advisory | |
| cve@mitre.org | https://www.espressif.com/en/products/socs/esp32 | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.espressif.com/en/products/socs/esp32 | Product, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFF8C3F9-F42A-48FF-ADBF-E09B7D7B5550",
"versionEndIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."
},
{
"lang": "es",
"value": "La implementaci\u00f3n de Bluetooth Classic en Espressif ESP-IDF versiones 4.4 y anteriores, no restringe apropiadamente la P\u00e1gina de Funcionalidades tras la recepci\u00f3n de un paquete LMP de Funci\u00f3n de Respuesta Ampliada, permitiendo a atacantes en el rango de radio desencadenar una ejecuci\u00f3n de c\u00f3digo arbitrario en ESP32 por medio de una carga de bits de Funcionalidades Ampliadas dise\u00f1ada"
}
],
"id": "CVE-2021-28139",
"lastModified": "2024-11-21T05:59:09.813",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 8.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T07:15:06.877",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-03-13 17:15
Modified
2025-04-03 16:40
Severity ?
Summary
Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:5.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "255DB07C-B6C8-4993-A54E-4E0E3D242814",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Espressif Esp idf v5.3.0 is vulnerable to Insecure Permissions resulting in Authentication bypass. In the reconnection phase, the device reuses the session key from a previous connection session, creating an opportunity for attackers to execute security bypass attacks."
},
{
"lang": "es",
"value": "Espressif Esp idf v5.3.0 es vulnerable a permisos inseguros, lo que resulta en la omisi\u00f3n de la autenticaci\u00f3n. Durante la fase de reconexi\u00f3n, el dispositivo reutiliza la clave de sesi\u00f3n de una sesi\u00f3n anterior, lo que permite a los atacantes ejecutar ataques de omisi\u00f3n de seguridad."
}
],
"id": "CVE-2024-53406",
"lastModified": "2025-04-03T16:40:40.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-03-13T17:15:33.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/yangting111/BLE_TEST/blob/main/result/PoC/Esp/sk_reuse.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-04 20:15
Modified
2024-11-21 04:23
Severity ?
Summary
The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted message.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Matheus-Garbelini/esp32_esp8266_attacks | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif | Third Party Advisory | |
| cve@mitre.org | https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/ | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Matheus-Garbelini/esp32_esp8266_attacks | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/ | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| espressif | arduino-esp32 | * | |
| espressif | arduino-esp32 | 1.0.3 | |
| espressif | arduino-esp32 | 1.0.3 | |
| espressif | arduino-esp32 | 1.0.3 | |
| espressif | esp-idf | * | |
| espressif | esp8266_nonos_sdk | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:arduino-esp32:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DE8CB7D3-9F85-46C6-BBB9-592919977335",
"versionEndIncluding": "1.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:arduino-esp32:1.0.3:-:*:*:*:*:*:*",
"matchCriteriaId": "18EBC74F-E07E-45AB-A741-6D72CE182838",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:arduino-esp32:1.0.3:rc1:*:*:*:*:*:*",
"matchCriteriaId": "AEF26B7B-EE51-486E-B32B-10FDACF8B9F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:arduino-esp32:1.0.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "1CB45124-5482-4A49-ABA2-E3AFE94421EA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "606F8C7D-BBF1-4ABE-89AD-7D86BA56F1C9",
"versionEndIncluding": "4.0.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp8266_nonos_sdk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "742F7BCB-7B5C-498E-A255-D9392E2BFA93",
"versionEndIncluding": "3.0.0",
"versionStartIncluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 processes EAP Success messages before any EAP method completion or failure, which allows attackers in radio range to cause a denial of service (crash) via a crafted message."
},
{
"lang": "es",
"value": "La implementaci\u00f3n de peer EAP en Espressif ESP-IDF versiones 2.0.0 hasta 4.0.0 y ESP8266_NONOS_SDK versiones 2.2.0 hasta 3.1.0, procesa los mensajes EAP Success antes de cualquier completaci\u00f3n o fallo del m\u00e9todo EAP, lo que permite a los atacantes en un radio de alcance causar una denegaci\u00f3n de servicio (bloqueo) por medio de un mensaje dise\u00f1ado."
}
],
"id": "CVE-2019-12586",
"lastModified": "2024-11-21T04:23:08.750",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-04T20:15:10.607",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-31 15:15
Modified
2024-11-21 05:01
Severity ?
Summary
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://asset-group.github.io/cves.html | Third Party Advisory | |
| cve@mitre.org | https://asset-group.github.io/disclosures/sweyntooth/ | Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asset-group.github.io/cves.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asset-group.github.io/disclosures/sweyntooth/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C54B320-683C-4645-86DC-65CE4FA1EAB4",
"versionEndIncluding": "4.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.2 and earlier (for ESP32 devices) does not properly restrict the channel map field of the connection request packet on reception, allowing attackers in radio range to cause a denial of service (crash) via a crafted packet."
},
{
"lang": "es",
"value": "La implementaci\u00f3n del controlador Bluetooth Low Energy (BLE) en Espressif ESP-IDF versiones 4.2 y anteriores (para dispositivos ESP32) no restringe apropiadamente el campo channel map del paquete de petici\u00f3n de conexi\u00f3n en la recepci\u00f3n, permitiendo a unos atacantes en el radio de alcance causar una denegaci\u00f3n de servicio (bloqueo) por medio de un paquete dise\u00f1ado"
}
],
"id": "CVE-2020-13594",
"lastModified": "2024-11-21T05:01:34.633",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-31T15:15:10.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-23 16:15
Modified
2024-11-21 04:59
Severity ?
Summary
An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11 encryption.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/espressif/ESP8266_NONOS_SDK | Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/ESP8266_RTOS_SDK | Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp-idf | Third Party Advisory | |
| cve@mitre.org | https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/ESP8266_NONOS_SDK | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/ESP8266_RTOS_SDK | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| espressif | esp-idf | * | |
| espressif | esp8266_nonos_sdk | * | |
| espressif | esp8266_rtos_sdk | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C54B320-683C-4645-86DC-65CE4FA1EAB4",
"versionEndIncluding": "4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp8266_nonos_sdk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94531964-D549-418B-B85B-3B749B9F365D",
"versionEndIncluding": "3.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp8266_rtos_sdk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27E60BB2-BAC0-4582-8EEF-D89EB874DF17",
"versionEndIncluding": "3.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An encryption-bypass issue was discovered on Espressif ESP-IDF devices through 4.2, ESP8266_NONOS_SDK devices through 3.0.3, and ESP8266_RTOS_SDK devices through 3.3. Broadcasting forged beacon frames forces a device to change its authentication mode to OPEN, effectively disabling its 802.11 encryption."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema de omisi\u00f3n de cifrado en dispositivos Espressif ESP-IDF versiones hasta 4.2, dispositivos ESP8266_NONOS_SDK versiones hasta 3.0.3 y dispositivos ESP8266_RTOS_SDK versiones hasta 3.3. La transmisi\u00f3n de tramas beacon forjadas obliga a un dispositivo a cambiar su modo de autenticaci\u00f3n a OPEN, deshabilitando efectivamente su encriptaci\u00f3n 802.11"
}
],
"id": "CVE-2020-12638",
"lastModified": "2024-11-21T04:59:57.530",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 5.5,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-23T16:15:12.490",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/ESP8266_NONOS_SDK"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/ESP8266_RTOS_SDK"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/ESP8266_NONOS_SDK"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/ESP8266_RTOS_SDK"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-12 03:15
Modified
2024-11-21 05:06
Severity ?
Summary
Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.7, 3.2.x through 3.2.3, 3.3.x through 3.3.2, and 4.0.x through 4.0.1 has a Buffer Overflow in BluFi provisioning in btc_blufi_recv_handler function in blufi_prf.c. An attacker can send a crafted BluFi protocol Write Attribute command to characteristic 0xFF01. With manipulated packet fields, there is a buffer overflow.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/espressif/esp-idf | Third Party Advisory | |
| cve@mitre.org | https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/CVE-2020-16146.md | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/CVE-2020-16146.md | Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "57FA924F-77EE-48AE-9343-A1775EA6789C",
"versionEndIncluding": "2.1.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63138525-7940-4FA3-BB64-9B1223CFD1BD",
"versionEndIncluding": "3.0.9",
"versionStartIncluding": "3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2F37BEBC-EFE6-4FDE-B366-90EC2CF04B0D",
"versionEndIncluding": "3.1.7",
"versionStartIncluding": "3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C2E37506-B1C3-4905-BD14-B50A478B6AA7",
"versionEndIncluding": "3.2.3",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5FF549F1-A312-4AF2-8BA2-38DE4BBDB3BF",
"versionEndIncluding": "3.3.2",
"versionStartIncluding": "3.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "23808EA2-2D3F-45B4-9B83-FA36F98492F1",
"versionEndIncluding": "4.0.1",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Espressif ESP-IDF 2.x, 3.0.x through 3.0.9, 3.1.x through 3.1.7, 3.2.x through 3.2.3, 3.3.x through 3.3.2, and 4.0.x through 4.0.1 has a Buffer Overflow in BluFi provisioning in btc_blufi_recv_handler function in blufi_prf.c. An attacker can send a crafted BluFi protocol Write Attribute command to characteristic 0xFF01. With manipulated packet fields, there is a buffer overflow."
},
{
"lang": "es",
"value": "Espressif ESP-IDF versiones 2.x, 3.0.x hasta 3.0.9, versiones 3.1.x hasta 3.1.7, versiones 3.2.x hasta 3.2.3, versiones 3.3.x hasta 3.3.2 y versiones 4.0.x versiones hasta 4.0.1, presenta un Desbordamiento del B\u00fafer en el aprovisionamiento de BluFi en la funci\u00f3n btc_blufi_recv_handler en el archivo blufi_prf.c.\u0026#xa0;Un atacante puede enviar un comando Write Attribute del protocolo BluFi dise\u00f1ado en la caracter\u00edstica 0xFF01.\u0026#xa0;Con campos de paquetes manipulados, se presenta un desbordamiento del b\u00fafer"
}
],
"id": "CVE-2020-16146",
"lastModified": "2024-11-21T05:06:51.037",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-12T03:15:12.687",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/CVE-2020-16146.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/CVE-2020-16146.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-120"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-13 13:29
Modified
2024-11-21 03:56
Severity ?
Summary
An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/espressif/esp-idf/releases | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A16A6B0D-D949-4CD3-B16B-66B56E381F6C",
"versionEndExcluding": "3.0.6",
"versionStartIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B969656A-0BC9-4869-96FE-0D08C9EBB83D",
"versionEndIncluding": "3.1.1",
"versionStartIncluding": "3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en Espressif ESP-IDF versi\u00f3n 2.x y versi\u00f3n 3.x anterior a 3.0.6 y versi\u00f3n 3.1.x anterior a 3.1.1. La comprobaci\u00f3n insuficiente de los datos de entrada en el gestor de arranque de la segunda etapa permite que un atacante f\u00edsicamente pr\u00f3ximo omita las comprobaciones de arranque seguras y ejecute c\u00f3digo arbitrario, creando un binario de aplicaci\u00f3n que sobrescriba un segmento de c\u00f3digo del gestor de arranque en el par\u00e1metro process_segment en el archivo components/bootloader_support/src/esp_image_format.c. El ataque es exitoso cuando la funci\u00f3n de cifrado flash est\u00e1 inhabilitada, o si el atacante encuentra una vulnerabilidad distinta que le permite escribir este binario en la memoria flash."
}
],
"id": "CVE-2018-18558",
"lastModified": "2024-11-21T03:56:09.217",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.9,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 0.5,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-13T13:29:02.103",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf/releases"
},
{
"source": "cve@mitre.org",
"url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-07 06:15
Modified
2024-11-21 05:59
Severity ?
Summary
The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp-idf | Product, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Product, Third Party Advisory | |
| cve@mitre.org | https://www.espressif.com/en/products/socs/esp32 | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp-idf | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Product, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.espressif.com/en/products/socs/esp32 | Product, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EFF8C3F9-F42A-48FF-ADBF-E09B7D7B5550",
"versionEndIncluding": "4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly handle the reception of multiple LMP IO Capability Request packets during the pairing process, allowing attackers in radio range to trigger memory corruption (and consequently a crash) in ESP32 via a replayed (duplicated) LMP packet."
},
{
"lang": "es",
"value": "Una implementaci\u00f3n de Bluetooth Classic en Espressif ESP-IDF versiones 4.4 y anteriores, no maneja apropiadamente la recepci\u00f3n de m\u00faltiples paquetes de petici\u00f3n de capacidad LMP IO durante el proceso de emparejamiento, permitiendo a atacantes en el rango de radio desencadenar una corrupci\u00f3n de la memoria (y en consecuencia un bloqueo) en el ESP32 por medio de un paquete LMP reproducido (duplicado)"
}
],
"id": "CVE-2021-28136",
"lastModified": "2024-11-21T05:59:09.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T06:15:07.330",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description",
"Third Party Advisory"
],
"url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp-idf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.espressif.com/en/products/socs/esp32"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-09-04 12:15
Modified
2024-11-21 04:23
Severity ?
Summary
The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames via a rogue access point.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/Matheus-Garbelini/esp32_esp8266_attacks | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif | Product | |
| cve@mitre.org | https://matheus-garbelini.github.io/home/post/zero-pmk-installation/ | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/Matheus-Garbelini/esp32_esp8266_attacks | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://matheus-garbelini.github.io/home/post/zero-pmk-installation/ | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| espressif | esp-idf | * | |
| espressif | esp8266_nonos_sdk | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "606F8C7D-BBF1-4ABE-89AD-7D86BA56F1C9",
"versionEndIncluding": "4.0.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:espressif:esp8266_nonos_sdk:*:*:*:*:*:*:*:*",
"matchCriteriaId": "114797F9-9891-4249-8FD7-AD8629EEAADA",
"versionEndIncluding": "3.1.0",
"versionStartIncluding": "2.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames via a rogue access point."
},
{
"lang": "es",
"value": "La implementaci\u00f3n de un peer EAP en Espressif ESP-IDF versiones 2.0.0 hasta 4.0.0 y ESP8266_NONOS_SDK versiones 2.2.0 hasta 3.1.0, permite la instalaci\u00f3n de una Pairwise Master Key (PMK) cero despu\u00e9s de la completaci\u00f3n de cualquier m\u00e9todo de autenticaci\u00f3n EAP, lo que permite a atacantes dentro de un radio de alcance reproducir, descifrar o falsificar cuadros por medio de un punto de acceso malicioso."
}
],
"id": "CVE-2019-12587",
"lastModified": "2024-11-21T04:23:08.897",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-04T12:15:11.043",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://github.com/espressif"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://matheus-garbelini.github.io/home/post/zero-pmk-installation/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/Matheus-Garbelini/esp32_esp8266_attacks"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://github.com/espressif"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://matheus-garbelini.github.io/home/post/zero-pmk-installation/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-31 15:15
Modified
2024-11-21 05:01
Severity ?
Summary
The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target's BLE stack) by sending a crafted sequence of BLE packets.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://asset-group.github.io/cves.html | Third Party Advisory | |
| cve@mitre.org | https://asset-group.github.io/disclosures/sweyntooth/ | Third Party Advisory | |
| cve@mitre.org | https://github.com/espressif/esp32-bt-lib | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asset-group.github.io/cves.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://asset-group.github.io/disclosures/sweyntooth/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/espressif/esp32-bt-lib | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8034F36-3371-4111-AE71-573B85934B20",
"versionEndIncluding": "4.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Bluetooth Low Energy (BLE) controller implementation in Espressif ESP-IDF 4.0 through 4.2 (for ESP32 devices) returns the wrong number of completed BLE packets and triggers a reachable assertion on the host stack when receiving a packet with an MIC failure. An attacker within radio range can silently trigger the assertion (which disables the target\u0027s BLE stack) by sending a crafted sequence of BLE packets."
},
{
"lang": "es",
"value": "La implementaci\u00f3n del controlador Bluetooth Low Energy (BLE) en Espressif ESP-IDF versiones 4.0 hasta 4.2 (para dispositivos ESP32) devuelve el n\u00famero errado de paquetes BLE completados y desencadena una aserci\u00f3n alcanzable en la pila del host cuando est\u00e1 recibiendo un paquete con un fallo de MIC. Un atacante dentro del radio de alcance puede desencadenar silenciosamente la aserci\u00f3n (que deshabilita la pila BLE del objetivo) al enviar una secuencia de paquetes BLE dise\u00f1ada"
}
],
"id": "CVE-2020-13595",
"lastModified": "2024-11-21T05:01:34.793",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 3.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.5,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-31T15:15:10.680",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/cves.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://asset-group.github.io/disclosures/sweyntooth/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/espressif/esp32-bt-lib"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-617"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}