EAP Vulnerability in Espressif Products Allows Zero PMK Installation
CVE-2019-12587

8.1HIGH

Key Information:

Vendor
Espressif
Status
Esp8266 Nonos Sdk
Esp-idf
Vendor
CVE Published:
4 September 2019

Summary

The EAP peer implementation in the affected Espressif products allows the installation of a zero Pairwise Master Key (PMK) following the completion of any EAP authentication method. This vulnerability permits attackers within radio range to exploit the system through replay attacks, frame decryption, or spoofing, particularly via the use of a rogue access point. Safeguarding against this risk calls for timely updates and security best practices in wireless networks.

References

https://github.com/espressif
x_refsource_MISC
https://github.com/Matheus-Garbelini/esp32_esp8266_attacks
x_refsource_MISC
https://matheus-garbelini.github.io/home/post/zero-pmk-in...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-12587 : EAP Vulnerability in Espressif Products Allows Zero PMK Installation | SecurityVulnerability.io