Espressif Systems Flaws Allow Hackers to Execute Arbitrary Code

A series of vulnerabilities has been discovered in Espressif Systems’ ESP32 devices, specifically affecting the BluFi module within the ESP-IDF framework.

BluFi is designed to simplify WiFi configuration using a Bluetooth interface.

These flaws, identified by the NCC Group, enable attackers to execute arbitrary code on ESP32 devices and potentially access sensitive information such as WiFi network credentials.

The vulnerabilities were found in ESP-IDF versions 5.0.7, 5.1.5, 5.2.3, and 5.3.1. These versions are among the latest supported releases, but the issue likely extends to other versions.

The primary systems at risk are ESP32 devices utilizing the ESP-IDF framework.

Technical Details

The vulnerabilities include memory corruption and cryptographic weaknesses within the ESP32 BluFi reference application.

This application is widely used in projects leveraging the BluFi interface for easy WiFi setup.

As a result, attackers can exploit these vulnerabilities over Bluetooth to achieve arbitrary code execution, potentially compromising device security and accessing confidential data.

The risks associated with these vulnerabilities are high due to the potential for remote code execution via wireless interfaces.

An attacker could exploit these flaws to gain control over affected ESP32 devices, compromising not only the device itself but also any connected network.

The ability to access WiFi credentials further enhances the risk by allowing an attacker to join targeted WiFi networks.

Recommendations

To mitigate these risks, developers are advised to apply patches from the official ESP-IDF repository. Patches are available in various branches:

• Master: 3fc6c93936077cb1659e1f0e0268e62cf6423e9d
• v5.4: 5f93ec3b11b6115475c34de57093b3672d594e8f
• v5.3: f40aa9c587a8e570dfde2e6330382dcd170d5a5d
• v5.2: bf50c0c197af30990026c8f8286298d2aa5a3c99
• v5.1: b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84
• v5.0: cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501

For detailed vulnerability descriptions and comprehensive fix recommendations, developers should refer to the report submitted to Espressif Systems.

Despite these significant vulnerabilities, Espressif Systems declined to issue a public advisory or assign CVE identifiers.

However, patches have been made available in the ESP-IDF repository, reflecting the company’s effort to address these security concerns without formal acknowledgment.

The vulnerabilities in Espressif’s ESP32 BluFi module highlight the need for proactive security measures in IoT devices.

Developers should implement the available patches promptly to safeguard against potential attacks. This incident underscores the importance of responsible disclosure and timely responses from vendors to protect user security and privacy.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.