Discovered three vulnerabilities that could take over and crash ESP microcontrollers

There are a number of vulnerabilities in the popular ESP32 and ESP8266 IoT microcontrollers. This makes it possible to crash development boards with those socs, but also to take over a session. Most vulnerabilities have now been fixed, but one is still open.

It concerns three leaks in the ESP8266 chips and the development boards based on them, two of which also apply to ESP32 chips. The vulnerabilities were discovered by Matheus Garbelini, who posted details about the vulnerabilities on GitHub.

One of the vulnerabilities, CVE-2019-12588, is a fairly simple method that allows an attacker to crash the ESP8266. This is possible because when connecting, the chipset does not check how many possible authentication methods are available when the ESP connects to an access point. Sending a large amount of information to an ESP can cause a buffer overflow that can cause the device to crash. Such a vulnerability is also in the SDKs of the ESP32 and ESP8266. It too can be bombarded with information, even if the device is already linked to a system. According to Garbelini, CVE-2019-12586 has been fixed for the ESP32, but not yet fully fixed for the operating system risk core of the ESP8266. The patches that are available have now been implemented in the Arduino ide.

The third vulnerability, CVE-2019-12587, makes it possible to completely take over a session on the ESPs. This happens because the Pairwise Master Key can be intercepted and manipulated in a session during pairing, so that an attacker can eavesdrop on a session with a self-made access point. However, this only works if the communication between the ESPs and the access point is not encrypted with TLS, which is often the case. Garbelini points out that the other two leaks can be used to reset the ESPs, establishing a new pairing that can then be intercepted with the third leak. According to the discoverer, that leak would also still be open on the ESP8266.