ESP32/ESP8266 EAP client crash (CVE-2019-12586)

Sep 3, 2019·
Matheus Eduardo Garbelini, Ph.D
Matheus Eduardo Garbelini, Ph.D
· 2 min read

Vulnerability Description

The vulnerability (CVE-2019-12586) found in SDKs of ESP32 and ESP8266 allows an attacker to precisely cause a crash in any ESP32/ESP8266 connected to an enterprise network. In combination with the Zero PMK Installation vulnerability, it could increase the damages to any unpatched device.

The affected stable and development versions are listed below:

  • ESP32-IDF Stable release 3.0 and earlier. Vulnerable until July 15, 2019.
  • ESP32-IDF Development Master #b68f5b4f and earlier. Vulnerable until May 30, 2019.
  • Arduino-ESP32 Pre-release 1.0.3-rc2 and earlier. Vulnerable until September 5, 2019.
  • Arduino-ESP32 Development Master #aff2e42 and earlier. Vulnerable until May 12, 2019.

Exploit scenario

​ The DoS vulnerability can be better understood when presented in the following diagram below. Step 8 is the malicious message which could be injected by an attacker in radio range. In this case, if the ESP32/8266 Wi-Fi client receives a EAP-Success message just after starting the EAP procedure, it crashes immediately. This happens because the device is erroneously tries to finish the EAP procedure, but doesn’t have a valid PMK exchanged and validated.

drawing

A Wireshark capture (download) of the attacker triggering the crash is shown in the figure below:

drawing

Impact

This vulnerability allows attackers in radio range to trigger a crash to any ESP device connected to an enterprise network. As the respective devices SDK (ESP-IDF for ESP32 and NONOS-SDK for ESP8266) enables watchdog by default, the devices won’t hang in face of such DoS attack. Espressif has fixed such problem and committed patches for ESP32 SDK, however, as of the date of this post, the NONOS SDK and Arduino core for ESP8266 are still unpatched.

Patches

Espressif has fixed such problem and committed patches for ESP32 SDK, however, as of the date of this post, the NONOS SDK and Arduino core for ESP8266 appears to be unpatched. The security patches can be tracked in the following commit link:

Proof of Concept tool

If you wish to test your ESP32/8266 device against this vulnerability, you can check my repository:

https://github.com/Matheus-Garbelini/esp32_esp8266_attacks