Headline
CVE-2020-11015: Device Authentication Vulnerability: Possible MAC address collision
A vulnerability has been disclosed in thinx-device-api IoT Device Management Server before version 2.5.0. Device MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC address may pass to create new UDID with same MAC address. Full impact needs to be reviewed further. Applies to all (mostly ESP8266/ESP32) users. This has been fixed in firmware version 2.5.0.
Impact
What kind of vulnerability is it? Who is impacted?
Device MAC address can be spoofed. This means initial registration requests without UDID and spoofed MAC address may pass to create new UDID with same MAC address. Full impact needs to be reviewed further. Applies to all (mostly ESP8266/ESP32) users.
Patches
In what version this will be fixed?
Regarding firmware, this will be patched in 2.5.0 by providing Flash Chip ID as unique identifier extension. Needs to be solved for ESP32, for EP8266 the solution is available.
In the API this needs further investigation.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
There’s no easy way to tell this happened. If user encounters same MAC addresses for different devices, there is the same method option to change that programatically before initiating following network connections:
uint8_t newMACAddress[] = {0x32, 0xAE, 0xA4, 0x07, 0x0D, 0x66};
esp_wifi_set_mac(ESP_IF_WIFI_STA, &newMACAddress[0]);
References
Are there any links users can visit to find out more?
Vendor site: Getting Real Flash ID for ESP32
For more information
If you have any questions or comments about this advisory:
- Open an issue in in this repo
- Email us at direct