Author Topic: ESP32 / ESP8266 three remote attacks  (Read 552 times)

0 Members and 1 Guest are viewing this topic.

Online sokoloff

  • Super Contributor
  • ***
  • Posts: 1326
  • Country: us
ESP32 / ESP8266 three remote attacks
« on: September 03, 2019, 04:22:32 pm »
Three exploits:
1. Zero PMK Installation - The vulnerability (CVE-2019-12587) found in latest SDK version of ESP32 and ESP8266 (ESP-IDF v4.0-dev-459-gba1ff1692 and NONOS-SDK v3.0-103-g7a31cb7 respectivelly) allows an attacker to take control of the Wi-Fi device EAP session by sending an EAP-Fail message in the final step during connection between the device and the access point (AP).

2. ESP32/ESP8266 EAP client crash (CVE-2019-12586) - Crashes clients connected to enterprise networks

3. ESP8266 Beacon Frame Crash (CVE-2019-12588) CVE-2019-12588: The client 802.11 mac implementation in Espressif ESP8266_NONOS_SDK 3.1.0 and earlier does not validate correctly the RSN AuthKey suite list count in beacon frames, probe responses, and association responses, which allows attackers in radio range to cause a denial of service (crash) via a crafted message.

More information:
https://github.com/Matheus-Garbelini/esp32_esp8266_attacks
 
The following users thanked this post: netdudeuk, Naguissa

Offline ralphrmartin

  • Frequent Contributor
  • **
  • Posts: 297
  • Country: gb
    • Work website
Re: ESP32 / ESP8266 three remote attacks
« Reply #1 on: September 03, 2019, 05:44:28 pm »
At least these appear to be bugs in the SDK, not the silicon, so are fixable.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 1266
  • Country: pl
Re: ESP32 / ESP8266 three remote attacks
« Reply #2 on: September 03, 2019, 08:34:08 pm »
Worth noting that EAP isn't something that you are likely to be using if you don't know that you are using it.
 

Offline MarkR42

  • Contributor
  • Posts: 29
  • Country: gb
Re: ESP32 / ESP8266 three remote attacks
« Reply #3 on: September 18, 2019, 07:58:27 am »
Well it's not that bad:

* All the attacks are over-the-air wifi attacks, not ip-based, so they can't be routed
* Almost nobody uses EAP on those ESP chips, probably (someone, somewhere probably does and has deployed 500k devices :) )
* If you crash it or hang it, there is a hardware watchdog that the firmware should be using!

 
The following users thanked this post: Naguissa


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf