WiFi WPA2 protocol vulnerabilities (VU#228519)

[ESP_Angus]

(The CVEs and VU# mentioned here are under embargo at the respective sites for a couple more hours so the below links do not work, but the researcher has just released details of the attack which link to these vulnerability references, so we're reproducing them here.)

See the official press release here: http://espressif.com/en/media_overview/ ... t-vu228519

Recently announced vulnerabilities in the WPA2 protocol affected the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1.

These vulnerabilities are described in detail at CERT VU#228519 and also individually in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

The vulnerabilities are already fixed in these ESP-IDF versions:

• release/v2.1 branch since commit b6c91ce088ef64bd5b96a5af04885040b42b1816 and will be in the forthcoming V2.1.1 release.
• master branch since commit 904d6c8f2b01de52597b9e16dad19c78ade9e586 and will be in the forthcoming V3.0 release.
• Arduino ESP32 is updated as of commit 7216977234349cb2775b9678bb2559ce93962edc

All ESP-IDF users are encouraged to upgrade as soon as possible.

Thank you to the security researcher Mathy Vanhoef & CERT for finding & disclosing this issue to vendors.

[permal]

And thank you Espressif to be on top of this!

[Lucas.Hutchinson]

Great to hear!

[Ritesh]

(The CVEs and VU# mentioned here are under embargo at the respective sites for a couple more hours so the below links do not work, but the researcher has just released details of the attack which link to these vulnerability references, so we're reproducing them here.)

See the official press release here: http://espressif.com/en/media_overview/ ... t-vu228519

Recently announced vulnerabilities in the WPA2 protocol affected the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1.

These vulnerabilities are described in detail at CERT VU#228519 and also individually in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

The vulnerabilities are already fixed in these ESP-IDF versions:

• release/v2.1 branch since commit b6c91ce088ef64bd5b96a5af04885040b42b1816 and will be in the forthcoming V2.1.1 release.
• master branch since commit 904d6c8f2b01de52597b9e16dad19c78ade9e586 and will be in the forthcoming V3.0 release.
• Arduino ESP32 is updated as of commit 7216977234349cb2775b9678bb2559ce93962edc

All ESP-IDF users are encouraged to upgrade as soon as possible.

Thank you to the security researcher Mathy Vanhoef & CERT for finding & disclosing this issue to vendors.

Hi,

Thanks for update.

But we have one concern like we have already developed some products using ESP32 2.0 SDK and same for ESP8266 SDK and it is working fine so far. We have also released that product to customer as well.

So, We have provided OTA option in each product so that they can update firmware into their product.

Would it be possible to just apply patch for existing stable ESP32 and ESP8266 SDKs as we don't want to upgrade whole SDKs?

Please provide your suggestions for this so that we can take decision based on that.

[Lucas.Hutchinson]

@Ritesh

Espressif have a path forward for you for this. They have released v2.1 (and soon to have v2.1.1).
This should essentially be v2.0 with the bugfixes you are looking for.

[Ritesh]

@Ritesh

Espressif have a path forward for you for this. They have released v2.1 (and soon to have v2.1.1).
This should essentially be v2.0 with the bugfixes you are looking for.

Yes.

But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.

SO, Would it be possible to apply that specific patch into ESP32 2.0 IDF Stable Release to fix that issue? If not possible then we need to upgrade current ESP32 IDF 2.0 SDK with ESP32 IDF 2.1 SDK including that fix but we need to validate each and every section/feature which we have used for my application development.

Hope you will understand my concern regarding this issue.

[ESP_Angus]

But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.

As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.

[Ritesh]

But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.

As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.

Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1

[halfro]

But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.

As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.

Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1

Again it depends whether the changes are worth the effort to you to do the migration. I believe you can git cherry pick the patch if I am not wrong if you are insistent on staying on v2.0.

[Ritesh]

As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.

Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1

Again it depends whether the changes are worth the effort to you to do the migration. I believe you can git cherry pick the patch if I am not wrong if you are insistent on staying on v2.0.

Thanks for Reply.

I will do it and will let you know if any issue while migrating that changes into ESP32 IDF 2.0 SDK which we are right now using for application development purpose.