WiFi WPA2 protocol vulnerabilities (VU#228519)

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby ESP_Angus » Mon Oct 16, 2017 9:41 am

(The CVEs and VU# mentioned here are under embargo at the respective sites for a couple more hours so the below links do not work, but the researcher has just released details of the attack which link to these vulnerability references, so we're reproducing them here.)

See the official press release here: http://espressif.com/en/media_overview/ ... t-vu228519

Recently announced vulnerabilities in the WPA2 protocol affected the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1.

These vulnerabilities are described in detail at CERT VU#228519 and also individually in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

The vulnerabilities are already fixed in these ESP-IDF versions: All ESP-IDF users are encouraged to upgrade as soon as possible.

Thank you to the security researcher Mathy Vanhoef & CERT for finding & disclosing this issue to vendors.

permal
Posts: 384
Joined: Sun May 14, 2017 5:36 pm

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby permal » Mon Oct 16, 2017 5:58 pm

And thank you Espressif to be on top of this!

Lucas.Hutchinson
Posts: 79
Joined: Tue Apr 26, 2016 5:10 am

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby Lucas.Hutchinson » Mon Oct 16, 2017 7:15 pm

Great to hear!

Ritesh
Posts: 1383
Joined: Tue Sep 06, 2016 9:37 am
Location: India
Contact:

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby Ritesh » Wed Oct 18, 2017 10:26 am

ESP_Angus wrote:(The CVEs and VU# mentioned here are under embargo at the respective sites for a couple more hours so the below links do not work, but the researcher has just released details of the attack which link to these vulnerability references, so we're reproducing them here.)

See the official press release here: http://espressif.com/en/media_overview/ ... t-vu228519

Recently announced vulnerabilities in the WPA2 protocol affected the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1.

These vulnerabilities are described in detail at CERT VU#228519 and also individually in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

The vulnerabilities are already fixed in these ESP-IDF versions: All ESP-IDF users are encouraged to upgrade as soon as possible.

Thank you to the security researcher Mathy Vanhoef & CERT for finding & disclosing this issue to vendors.
Hi,

Thanks for update.

But we have one concern like we have already developed some products using ESP32 2.0 SDK and same for ESP8266 SDK and it is working fine so far. We have also released that product to customer as well.

So, We have provided OTA option in each product so that they can update firmware into their product.

Would it be possible to just apply patch for existing stable ESP32 and ESP8266 SDKs as we don't want to upgrade whole SDKs?

Please provide your suggestions for this so that we can take decision based on that.
Regards,
Ritesh Prajapati

Lucas.Hutchinson
Posts: 79
Joined: Tue Apr 26, 2016 5:10 am

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby Lucas.Hutchinson » Wed Oct 18, 2017 9:17 pm

@Ritesh

Espressif have a path forward for you for this. They have released v2.1 (and soon to have v2.1.1).
This should essentially be v2.0 with the bugfixes you are looking for.

Ritesh
Posts: 1383
Joined: Tue Sep 06, 2016 9:37 am
Location: India
Contact:

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby Ritesh » Thu Oct 19, 2017 5:21 am

Lucas.Hutchinson wrote:@Ritesh

Espressif have a path forward for you for this. They have released v2.1 (and soon to have v2.1.1).
This should essentially be v2.0 with the bugfixes you are looking for.
Yes.

But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.

SO, Would it be possible to apply that specific patch into ESP32 2.0 IDF Stable Release to fix that issue? If not possible then we need to upgrade current ESP32 IDF 2.0 SDK with ESP32 IDF 2.1 SDK including that fix but we need to validate each and every section/feature which we have used for my application development.

Hope you will understand my concern regarding this issue.
Regards,
Ritesh Prajapati

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby ESP_Angus » Fri Oct 20, 2017 11:09 am

Ritesh wrote: But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.
As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.

Ritesh
Posts: 1383
Joined: Tue Sep 06, 2016 9:37 am
Location: India
Contact:

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby Ritesh » Sat Oct 21, 2017 4:07 am

ESP_Angus wrote:
Ritesh wrote: But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.
As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.
Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1
Regards,
Ritesh Prajapati

halfro
Posts: 18
Joined: Sat Jul 15, 2017 11:13 am

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby halfro » Sat Oct 21, 2017 12:06 pm

Ritesh wrote:
ESP_Angus wrote:
Ritesh wrote: But I just have one concern regarding this issue is that we have already released one product based on ESP32 IDF 2.0 SDK and i don't want to upgrade whole ESP32 SDK now for this issue fix.
As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.
Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1
Again it depends whether the changes are worth the effort to you to do the migration. I believe you can git cherry pick the patch if I am not wrong if you are insistent on staying on v2.0.

Ritesh
Posts: 1383
Joined: Tue Sep 06, 2016 9:37 am
Location: India
Contact:

Re: WiFi WPA2 protocol vulnerabilities (VU#228519)

Postby Ritesh » Mon Oct 23, 2017 8:29 am

halfro wrote:
Ritesh wrote:
ESP_Angus wrote:
As per the reply I sent you on the other thread, updating to V2.1 and then V2.1.1 is the supported upgrade path for these fixes.
Yes. But for that I need to upgrade ESP32 IDF SDK from 2.0 to 2.1 as we are right now using ESP32 IDF 2.0 SDK for my application development purpose that is what biggest concern we have as we have already developed 90% Application using ESP32 IDF 2.0 SDK and also validated it.

Hope you will understand my concern as we need to validate each and every section from scratch if we move from ESP32 IDF 2.0 to ESP32 IDF 2.1 SDK and later on ESP32 IDF 2.1.1
Again it depends whether the changes are worth the effort to you to do the migration. I believe you can git cherry pick the patch if I am not wrong if you are insistent on staying on v2.0.
Thanks for Reply.

I will do it and will let you know if any issue while migrating that changes into ESP32 IDF 2.0 SDK which we are right now using for application development purpose.
Regards,
Ritesh Prajapati

Who is online

Users browsing this forum: Majestic-12 [Bot] and 155 guests