Headline
CVE-2022-24893
ESP-IDF is the official development framework for Espressif SoCs. In Espressif’s Bluetooth Mesh SDK (ESP-BLE-MESH
), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the SegN
field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system. Patch commits are available on the 4.1, 4.2, 4.3 and 4.4 branches and users are recommended to upgrade. The upgrade is applicable for all applications and users of ESP-BLE-MESH
component from ESP-IDF
. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.
Software Component
ESP BLE Mesh: https://github.com/espressif/esp-idf/tree/master/components/bt/esp_ble_mesh
Documentation: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/bluetooth/esp-ble-mesh.html
Impact
In Espressif’s Bluetooth Mesh SDK (ESP-BLE-MESH), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the SegN field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system.
Normally there are two fields in the Transaction Start PDU that need to be checked, i.e., the TotalLength field and the SegN field. Since we only checked the TotalLength field, an attacker can send a Provisioning PDU with an invalid SegN field, which will cause the message handled by the firmware to be much larger than the current buffer could store, thus causing a memory corruption issue to global buffer.
Patches
Patched versions of ESP-IDF Framework are listed below:
Branch
Commit ID
master
< 5a87a9c >
release/v4.4
< c412085 >
release/v4.3
< b4ef1b8 >
release/v4.2
< 8b422cd >
release/v4.1
< 3cc92c9 >
Workarounds
The upgrade is applicable for all applications and users of ESP-BLE-MESH component from ESP-IDF. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.
References
None Applicable
Credits
We would like to thank Han Yan, Lewei Qu and Dongxiang Ke from Baidu AIoT Security Team for reporting this vulnerability and following up on responsible disclosure.