ESP32 / ESP8266 three remote attacks

[sokoloff]

Three exploits:
1. Zero PMK Installation - The vulnerability (CVE-2019-12587) found in latest SDK version of ESP32 and ESP8266 (ESP-IDF v4.0-dev-459-gba1ff1692 and NONOS-SDK v3.0-103-g7a31cb7 respectivelly) allows an attacker to take control of the Wi-Fi device EAP session by sending an EAP-Fail message in the final step during connection between the device and the access point (AP).

2. ESP32/ESP8266 EAP client crash (CVE-2019-12586) - Crashes clients connected to enterprise networks

3. ESP8266 Beacon Frame Crash (CVE-2019-12588) CVE-2019-12588: The client 802.11 mac implementation in Espressif ESP8266_NONOS_SDK 3.1.0 and earlier does not validate correctly the RSN AuthKey suite list count in beacon frames, probe responses, and association responses, which allows attackers in radio range to cause a denial of service (crash) via a crafted message.

More information:
https://github.com/Matheus-Garbelini/esp32_esp8266_attacks

[ralphrmartin]

At least these appear to be bugs in the SDK, not the silicon, so are fixable.

[magic]

Worth noting that EAP isn't something that you are likely to be using if you don't know that you are using it.

[MarkR42]

Well it's not that bad:

* All the attacks are over-the-air wifi attacks, not ip-based, so they can't be routed
* Almost nobody uses EAP on those ESP chips, probably (someone, somewhere probably does and has deployed 500k devices )
* If you crash it or hang it, there is a hardware watchdog that the firmware should be using!