Page 1 of 1

WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Mon Oct 16, 2017 9:41 am
by ESP_Angus
(The CVEs and VU# mentioned here are under embargo at the respective sites for a couple more hours so the below links do not work, but the researcher has just released details of the attack which link to these vulnerability references, so we're reproducing them here.)

See the official press release here: http://espressif.com/en/media_overview/ ... t-vu228519

Recently announced vulnerabilities in the WPA2 protocol affected the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1.

These vulnerabilities are described in detail at CERT VU#228519 and also individually in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

The vulnerabilities are already fixed in these ESP-IDF versions: All ESP-IDF users are encouraged to upgrade as soon as possible.

Thank you to the security researcher Mathy Vanhoef & CERT for finding & disclosing this issue to vendors.

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Mon Oct 16, 2017 5:58 pm
by permal
And thank you Espressif to be on top of this!

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Mon Oct 16, 2017 7:15 pm
by Lucas.Hutchinson
Great to hear!

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Wed Oct 18, 2017 10:26 am
by Ritesh
ESP_Angus wrote:(The CVEs and VU# mentioned here are under embargo at the respective sites for a couple more hours so the below links do not work, but the researcher has just released details of the attack which link to these vulnerability references, so we're reproducing them here.)

See the official press release here: http://espressif.com/en/media_overview/ ... t-vu228519

Recently announced vulnerabilities in the WPA2 protocol affected the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1.

These vulnerabilities are described in detail at CERT VU#228519 and also individually in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

The vulnerabilities are already fixed in these ESP-IDF versions: All ESP-IDF users are encouraged to upgrade as soon as possible.

Thank you to the security researcher Mathy Vanhoef & CERT for finding & disclosing this issue to vendors.
Hi,

Thanks for update.

But we have one concern like we have already developed some products using ESP32 2.0 SDK and same for ESP8266 SDK and it is working fine so far. We have also released that product to customer as well.

So, We have provided OTA option in each product so that they can update firmware into their product.

Would it be possible to just apply patch for existing stable ESP32 and ESP8266 SDKs as we don't want to upgrade whole SDKs?

Please provide your suggestions for this so that we can take decision based on that.

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Wed Oct 18, 2017 9:17 pm
by Lucas.Hutchinson
@Ritesh

Espressif have a path forward for you for this. They have released v2.1 (and soon to have v2.1.1).
This should essentially be v2.0 with the bugfixes you are looking for.

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Thu Oct 19, 2017 5:21 am
by Ritesh
Lucas.Hutchinson wrote:@Ritesh

Espressif have a path forward for you for this. They have released v2.1 (and soon to have v2.1.1).
This should essentially be v2.0 with the bugfixes you are looking for.
Yes.

But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.

SO, Would it be possible to apply that specific patch into ESP32 2.0 IDF Stable Release to fix that issue? If not possible then we need to upgrade current ESP32 IDF 2.0 SDK with ESP32 IDF 2.1 SDK including that fix but we need to validate each and every section/feature which we have used for my application development.

Hope you will understand my concern regarding this issue.

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Fri Oct 20, 2017 11:09 am
by ESP_Angus
Ritesh wrote: But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.
As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Sat Oct 21, 2017 4:07 am
by Ritesh
ESP_Angus wrote:
Ritesh wrote: But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.
As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.
Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Sat Oct 21, 2017 12:06 pm
by halfro
Ritesh wrote:
ESP_Angus wrote:
Ritesh wrote: But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.
As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.
Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1
Again it depends whether the changes are worth the effort to you to do the migration. I believe you can git cherry pick the patch if I am not wrong if you are insistent on staying on v2.0.

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Posted: Mon Oct 23, 2017 8:29 am
by Ritesh
halfro wrote:
Ritesh wrote:
ESP_Angus wrote:
As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.
Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1
Again it depends whether the changes are worth the effort to you to do the migration. I believe you can git cherry pick the patch if I am not wrong if you are insistent on staying on v2.0.
Thanks for Reply.

I will do it and will let you know if any issue while migrating that changes into ESP32 IDF 2.0 SDK which we are right now using for application development purpose.