Privilege escalation in Espressif ESP-IDF
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-18558 |
| CWE-ID | CWE-20 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ESP-IDF Server applications / Other server solutions |
| Vendor | Espressif Systems |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU20953
Risk: Low
CVSSv3.1: 5.6 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-18558
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input in the 2nd stage bootloader. A local attacker with physical access can craft an application binary that overwrites a bootloader code segment in "process_segment" in "components/bootloader_support/src/esp_image_format.c.", bypass secure boot checks and execute arbitrary code on the target system.
Note: The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory.
MitigationInstall updates from vendor's website.
Vulnerable software versionsESP-IDF: 2.0 - 3.1
External linkshttp://github.com/espressif/esp-idf/releases
http://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_(CVE-2018-18558)
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
