CVE-2022-24893

Software Component

ESP BLE Mesh: https://github.com/espressif/esp-idf/tree/master/components/bt/esp_ble_mesh
Documentation: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/bluetooth/esp-ble-mesh.html

Impact

In Espressif’s Bluetooth Mesh SDK (ESP-BLE-MESH), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the SegN field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system.

Normally there are two fields in the Transaction Start PDU that need to be checked, i.e., the TotalLength field and the SegN field. Since we only checked the TotalLength field, an attacker can send a Provisioning PDU with an invalid SegN field, which will cause the message handled by the firmware to be much larger than the current buffer could store, thus causing a memory corruption issue to global buffer.

Patches

Patched versions of ESP-IDF Framework are listed below:

Branch

Commit ID

master

< 5a87a9c >

release/v4.4

< c412085 >

release/v4.3

< b4ef1b8 >

release/v4.2

< 8b422cd >

release/v4.1

< 3cc92c9 >

Workarounds

The upgrade is applicable for all applications and users of ESP-BLE-MESH component from ESP-IDF. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.

References

None Applicable

Credits

We would like to thank Han Yan, Lewei Qu and Dongxiang Ke from Baidu AIoT Security Team for reporting this vulnerability and following up on responsible disclosure.