news

Security advisories about Zero PMK installation and beacon crash

中国上海
Sep 10, 2019

Recently 3 vulnerabilities have been disclosed related to ESP8266 & ESP32 Wi-Fi features, particularly WPA2 Enterprise:Zero PMK Installation (CVE-2019-12587), EAP Client Crash (CVE-2019-12586) and Beacon Frame crash (CVE-2019-12588).

Overview

Recently 3 vulnerabilities have been disclosed related to ESP8266 & ESP32 Wi-Fi features, particularly WPA2 Enterprise:

  • Zero PMK Installation: When a vulnerable ESP8266 or ESP32 connects to a WPA2 Enterprise access point (AP), the attacker can take control of a EAP session by injecting an custom EAP-FAIL Wi-Fi frame in the final step of the connection. (CVE-2019-12587)
  • EAP Client Crash: When a vulnerable ESP8266 or ESP32 is connected to a WPA2 Enterprise access point (AP), the attacker can cause a crash by injecting a custom Wi-Fi frame (CVE-2019-12586)
  • Beacon Frame crash: An ESP8266 can be crashed by an attacker who injects a carefully crafted Wi-Fi beacon frame (CVE-2019-12588)

ESP32 users: Current ESP-IDF stable releases V3.1.5 and V3.3 (latest stable release) already contain fixes. Upcoming ESP-IDF releases V3.0.9, V3.2.3 and V4.0 will also contain fixes. See below for more details. All users of WPA2-Enterprise client features are encouraged to update.

ESP8266 users: Fixes will be contained in ESP8266 Non-OS SDK releases v2.2.1 and v3.0.2. The Beacon Frame Crash issue is already fixed in Non-OS SDK pre-release branches. See below for more details. All users are encouraged to update once fixes are available.

These issues were found and reported to us by Matheus Garbelini and we thank him for his responsible disclosure.

Zero PMK Installation (CVE-2019-12587)

This issue affects ESP8266 non-OS SDK and ESP32. The impact is a bypass of 802.1x authentication if the AP has rogue behavior, and denial of service otherwise.

In vulnerable versions, the station WPA2-Enterprise feature contains this vulnerability. It allows an attacker within Wi-Fi range to take control of a EAP session by sending an EAP-FAIL message in the final step during connection between the station and the access point (AP). If an EAP-FAIL message is received before the EAP-SUCCESS, the station skips updating the PMK received during the normal EAP exchange (EAP-PEAP or EAP-TTLS). Additionally, the device accepts normally the EAPoL 4-Way handshake if the attacker uses a all zero PMK.

Because the original AP is also able to see this EAP-FAIL exchange, it should react by deauthenticating the station as per section 11.3.4 of 802.11-2016 specification:

"If STA A in an infrastructure BSS receives a Class 2 or Class 3 frame from STA B that is not authenticated with STA A (i.e., the state for STA B is State 1), STA A shall discard the frame. If the frame has an individual address in the Address 1 field, the MLME of STA A shall send a Deauthentication frame to STA B."

If the AP implements this behaviour correctly, the station will be deauthenticated and impact is limited to denial of service.

EAP Client Crash (CVE-2019-12586)

This issue affects ESP8266 non-OS SDK and ESP32. The impact is denial of service (crash).

In vulnerable versions, the station WPA2-Enterprise feature contains this vulnerability. It allows an attacker within Wi-Fi range to cause a crash in an ESP32 in WPA2 Enterpirse station mode by sending EAP-SUCCESS before PMK negotiation is completed.

Beacon Frame Crash (CVE-2019-12588)

The issue affects ESP8266 only. The impact is denial of service (crash).

In vulnerable versions, an attacker within Wi-Fi range can inject a malformed beacon frame and crash the ESP8266.

Patched versions of ESP-IDF

For ESP32, ESP-IDF stable releases V3.1.5 and V3.3 already contain fixes. To update to these versions, see:

The upcoming ESP-IDF v3.0.9, v3.2.3 and v4.0 releases will also contain fixes. Before v3.0.9 and v3.2.3 are released, to update to a pre-release version with the fix then see the following release branches:

All users of the WPA2-Enterprise feature on ESP32 are encouraged to update.

Patched versions of ESP8266 SDKs

Fixes will be contained in ESP8266 Non-OS SDK releases v2.2.1 and v3.0.2.

The following ESP8266 Non-OS SDK pre-release branches already contain fixes for the Beacon Frame Crash issue:

The Beacon Frame Crash issue is not present in ESP8266 RTOS SDK versions newer than 2015. ESP8266 RTOS SDK does not yet support WPA2 Enterprise, this feature is planned for the next release and the fixes will be included.

All users of ESP8266 non-OS SDK are encouraged to update.

Share this article
Reuse this content