Espressif Releases Patches for WiFi Vulnerabilities (CERT VU#228519)

Oct 16, 2017

Several critical key-management vulnerabilities in the WPA2 security protocol have been discovered. Espressif is hereby releasing patches for these vulnerabilities.
The recently discovered vulnerabilities in the Wi-Fi Protected Access II protocol (WPA2) are of critical security level. These vulnerabilities, also known as KRACK (Key Reinstallation Attack), allow users' internet connections to be hijacked or eavesdropped, while malicious packet injections may also occur.
These vulnerabilities were specified in detail by the United States' Computer Emergency Readiness Team in CERT VU#228519, a note that was originally released on October 16th, 2017The following CVE IDs have been assigned to document the above-mentioned vulnerabilities in the WPA2 protocol: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088. 
These vulnerabilities affected the ESP8266 WiFi support and the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1. However, Espressif has already fixed them in the following ESP-IDF and ESP8266 versions:
  • release/v2.1  (ESP-IDF) branch, since commit b6c91ce088ef64bd5b96a5af04885040b42b1816; it will appear in the forthcoming V2.1.1 release.
  • master branch (ESP-IDF), since commit 904d6c8f2b01de52597b9e16dad19c78ade9e586; it will appear in the forthcoming V3.0 release.
  • ESP8266 RTOS (ESP8266) master branch, since commit 2fab9e23d779cdd6e5900b8ba2b588e30d9b08c4. 
  • ESP8266 NON-OS (ESP8266) master branch, since commit b762ea222ee94b9ffc5e040f4bf78dd8ba4db596.
Additionally, Arduino ESP32 has been updated accordingly and the relevant link can be found here. Therefore, all Espressif chipset users are strongly encouraged to upgrade their systems as soon as possible.
Many thanks to IT security researcher Mathy Vanhoef, who is a member of the imec-DistriNet group at KU Leuven University, for reporting this issue in the first place. You can find more information about his work on these vulnerabilities here.
  • News
    Espressif emphatically states that the recent rumours about its acquisition by the Alibaba Group could not be further from reality.
  • News
    Espressif’s new ESP32-LyraT Dev Board and Audio Development Framework help users accelerate time to market and reduce the development cost of dual-mode (Wi-Fi+Bluetooth) audio solutions.
  • News
    Mexico City is hosting the annual “Talent Land” event from April 2nd until 6th. If you attend the event, do not miss out on getting a limited-edition electronic badge based on ESP8266!