EAP Peer Implementation Vulnerability in Espressif Products
CVE-2019-12586

6.5MEDIUM

Key Information:

Vendor
Espressif
Status
Esp-idf
Arduino-esp32
Vendor
CVE Published:
4 September 2019

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The EAP peer implementation in specified Espressif products has a flaw that processes EAP Success messages prematurely, allowing potential attackers within radio range to send specially crafted messages. This can lead to a denial of service by disrupting the normal functioning of the devices, causing them to crash unexpectedly. To ensure the security of systems using affected versions, administrators should consider updating to the latest patches or implementing mitigation strategies.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

esp32_esp8266_attacks
Created by Matheus-Garbelini

References

https://github.com/espressif
x_refsource_MISC
https://github.com/Matheus-Garbelini/esp32_esp8266_attacks
x_refsource_MISC
https://matheus-garbelini.github.io/home/post/esp32-esp82...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability Reserved

.
CVE-2019-12586 : EAP Peer Implementation Vulnerability in Espressif Products | SecurityVulnerability.io