ESP32/ESP8266 EAP client crash (CVE-2019-12586)
Crashing ESP devices connected to enterprise networks
Vulnerability Description
The vulnerability (CVE-2019-12586) found in SDKs of ESP32 and ESP8266 allows an attacker to precisely cause a crash in any ESP32/ESP8266 connected to an enterprise network. In combination with the Zero PMK Installation vulnerability, it could increase the damages to any unpatched device.
The affected stable and development versions are listed below:
- ESP32-IDF Stable release 3.0 and earlier. Vulnerable until July 15, 2019.
- ESP32-IDF Development Master #b68f5b4f and earlier. Vulnerable until May 30, 2019.
- Arduino-ESP32 Pre-release 1.0.3-rc2 and earlier. Vulnerable until September 5, 2019.
- Arduino-ESP32 Development Master #aff2e42 and earlier. Vulnerable until May 12, 2019.
Exploit scenario
The DoS vulnerability can be better understood when presented in the following diagram below. Step 8 is the malicious message which could be injected by an attacker in radio range. In this case, if the ESP32/8266 Wi-Fi client receives a EAP-Success message just after starting the EAP procedure, it crashes immediately. This happens because the device is erroneously tries to finish the EAP procedure, but doesn’t have a valid PMK exchanged and validated.
A Wireshark capture (download) of the attacker triggering the crash is shown in the figure below:
Impact
This vulnerability allows attackers in radio range to trigger a crash to any ESP device connected to an enterprise network. As the respective devices SDK (ESP-IDF for ESP32 and NONOS-SDK for ESP8266) enables watchdog by default, the devices won’t hang in face of such DoS attack. Espressif has fixed such problem and committed patches for ESP32 SDK, however, as of the date of this post, the NONOS SDK and Arduino core for ESP8266 are still unpatched.
Patches
Espressif has fixed such problem and committed patches for ESP32 SDK, however, as of the date of this post, the NONOS SDK and Arduino core for ESP8266 appears to be unpatched. The security patches can be tracked in the following commit link:
- ESP32 ESP-IDF Stable Release 3.3 (5 September, 2019)
- ESP32 ESP-IDF Development Master (30 May, 2019)
- Arduino-ESP32 Stable Release 1.0.3 RC3 (5 September, 2019)
- Arduino-ESP32 Development Master (August 20, 2019)
Proof of Concept tool
If you wish to test your ESP32/8266 device against this vulnerability, you can check my repository:
Matheus Eduardo Garbelini
Ph.D Student
My research interests include distributed Wireless Security, IoTs, Embedded Systems and Software/Hardware engineering.