ESP8266 Beacon Frame Crash (CVE-2019-12588)

Easily crashing ESP8266 Wi-Fi devices

Vulnerability Description

CVE-2019-12588: The client 802.11 MAC implementation in Espressif ESP8266 NONOS SDK 3.0 and earlier does not validate correctly the RSN AuthKey suite list count in beacon frames, probe responses, and association responses, which allows attackers in radio range to cause a denial of service (crash) via a crafted message.

The affected stable and development versions are listed below:

  • NONOS SDK Stable release 3.0 and earlier. Vulnerable until July 15, 2019.
  • NONOS SDK Development master #b2db392 and earlier. Vulnerable until July 3, 2019.
  • NONOS SDK Backport 2.2.X #9fe634e and earlier. Vulnerable until July 3, 2019.
  • NONOS SDK Backport 3.0.0 #fc04170 and earlier. Vulnerable until July 3, 2019.
  • Arduino ESP8266 Release 2.5.2 and earlier. Still vulnerable as of September 5, 2019.
  • Arduino ESP8266 Development master #a0634a7. Vulnerable until July 5, 2019.

Two situations in a malformed beacon frame can trigger this problem:

  • When sending crafted 802.11 frames with the field Auth Key Management Suite Count (AKM) in RSN tag with size too large or incorrect, ESP8266 in station mode crashes.
  • When sending crafted 802.11 frames with the field Pairwise Cipher Suite Count in RSN tag with size too large or incorrect, ESP8266 in station mode crashes.

Exploitation Scenario

The vulnerability can be better understood when presented in the following diagram:esp8266_beacon_crash

In the scenario above, the attacker sends a malformed beacon or probe response to a ESP8266 which is already connected to an access point. However, it was found that ESP8266 can crash even when there’s no connection to a AP, that is even when ESP8266 is just scanning for the AP.

When capturing some packets in Wireshark, it’s easy to see which fields are affected:

invalid_beacon_frame1

In this case, NONOS SDK is not verifying correctly AKM Suite count field against unexpected valued. This AKM field is used to tell how many authentication methods (suites) are allowed to be used during the key exchange with the AP.

As for the Pairwise Suite Count field, which tells the client how many methods can be used for encryption, a crash also occurs when the count number is higher then expected:invalid_beacon_frame2

In both cases, ESP8266 NONOS SDK is not expecting to receive an exceeding value (6 and 10 in this case). This indicates that this attack may be triggering a buffer overflow. You can download the capture example of such crafted packet here.

Impact

As mentioned before, an attacker can crash any ESP8266 Wi-Fi client within radio range by just creating a fake beacon frame or probe response. This is specially dangerous for projects that are using ESP8266 for automation (e.g. openplc project) which relies in operating actuators such as relays and motors while continuously communication with a programmable logic controller (PLC). In addition, products and projects that uses ESP8266 for smart home or as AT device are mostly vulnerable if their firmware was not recently updated.

Patches

Espressif has fixed such problem and committed patches in their NONOS SDK repository since July 3, 2019. The specific security patches can be tracked in the following commit/release links:

Make sure to update your SDK today, don’t delay.

Proof of Concept tool

If you wish to test your ESP8266 device against this vulnerability, you can check my repository:

https://github.com/Matheus-Garbelini/esp32_esp8266_attacks

Avatar
Matheus Eduardo Garbelini
Ph.D Candidate

My research interests include distributed Wireless Security, IoTs, Embedded Systems and Software/Hardware engineering.

Related