CVE-2023-46894: Cryptographic API Misuse Vulnerability: AES ECB used for initialization (ESPTOOL-756) · Issue #926 · espressif/esptool

Operating System

ALL

Esptool Version

4.6.2

Python Version

python3.x

Full Esptool Command Line that Was Run

None

Esptool Output

Description: I have identified a security vulnerability in the esptool project’s use of AES ECB (Electronic Codebook) mode for initialization. This vulnerability can potentially expose sensitive information and compromise the security of the application. Locations: https://github.com/espressif/esptool/blob/master/espsecure/__init__.py#L128 https://github.com/espressif/esptool/blob/master/espsecure/__init__.py#L1195 Version: esptool <= 4.6.2

What is the Expected Behaviour?

Expected Behavior:
Instead of using AES ECB, it is recommended to use more secure encryption modes, such as AES CBC (Cipher Block Chaining) or AES GCM (Galois/Counter Mode), for configuration in order to enhance the security of esptool.

Recommendations:
It is strongly recommended to update the project’s code at line 128 and line 1195 in the init.py file to use more secure encryption modes, such as AES CBC or AES GCM, for configuration. This will help mitigate the potential security risks associated with using AES ECB.Otherwise,the cryprography.io(https://cryptography.io/) crypto library is a good programming practices.

More Information

No response

Other Steps to Reproduce

No response