See the official press release here: http://espressif.com/en/media_overview/ ... t-vu228519
Recently announced vulnerabilities in the WPA2 protocol affected the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1.
These vulnerabilities are described in detail at CERT VU#228519 and also individually in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.
The vulnerabilities are already fixed in these ESP-IDF versions:
- release/v2.1 branch since commit b6c91ce088ef64bd5b96a5af04885040b42b1816 and will be in the forthcoming V2.1.1 release.
- master branch since commit 904d6c8f2b01de52597b9e16dad19c78ade9e586 and will be in the forthcoming V3.0 release.
- Arduino ESP32 is updated as of commit 7216977234349cb2775b9678bb2559ce93962edc
Thank you to the security researcher Mathy Vanhoef & CERT for finding & disclosing this issue to vendors.