ESP32/ESP8266 EAP client crash (CVE-2019-12586)

Crashing ESP devices connected to enterprise networks

Vulnerability Description

The vulnerability (CVE-2019-12586) found in SDKs of ESP32 and ESP8266 allows an attacker to precisely cause a crash in any ESP32/ESP8266 connected to an enterprise network. In combination with the Zero PMK Installation vulnerability, it could increase the damages to any unpatched device.

The affected stable and development versions are listed below:

  • ESP32-IDF Stable release 3.0 and earlier. Vulnerable until July 15, 2019.
  • ESP32-IDF Development Master #b68f5b4f and earlier. Vulnerable until May 30, 2019.
  • Arduino-ESP32 Pre-release 1.0.3-rc2 and earlier. Vulnerable until September 5, 2019.
  • Arduino-ESP32 Development Master #aff2e42 and earlier. Vulnerable until May 12, 2019.

Exploit scenario

‚Äč The DoS vulnerability can be better understood when presented in the following diagram:

Enterprise_crash_eap

A Wireshark capture (download) of the attacker triggering the crash is shown in the figure below:

wireshark_capture

Impact

This vulnerability allows attackers in radio range to trigger a crash to any ESP device connected to an enterprise network. As the respective devices SDK (ESP-IDF for ESP32 and NONOS-SDK for ESP8266) enables watchdog by default, the devices won’t hang in face of such DoS attack. Espressif has fixed such problem and committed patches for ESP32 SDK, however, as of the date of this post, the NONOS SDK and Arduino core for ESP8266 are still unpatched.

Patches

Espressif has fixed such problem and committed patches for ESP32 SDK, however, as of the date of this post, the NONOS SDK and Arduino core for ESP8266 appears to be unpatched. The security patches can be tracked in the following commit link:

Proof of Concept tool

If you wish to test your ESP32/8266 device against this vulnerability, you can check my repository:

https://github.com/Matheus-Garbelini/esp32_esp8266_attacks

Avatar
Matheus Eduardo Garbelini
Ph.D Candidate

My research interests include distributed Wireless Security, IoTs, Embedded Systems and Software/Hardware engineering.

Related