Multiple vulnerabilities in Espressif ESP-IDF
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2021-28139 CVE-2021-28136 CVE-2021-28135 CVE-2021-28155 CVE-2021-31717 |
| CWE-ID | CWE-94 CWE-119 CWE-20 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ESP-WROVER-KIT Hardware solutions / Routers & switches, VoIP, GSM, etc ESP-IDF Server applications / Other server solutions |
| Vendor | Espressif Systems |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Code Injection
EUVDB-ID: #VU56308
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-28139
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the Bluetooth Classic implementation does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet. A remote attacker in radio range can use a specially crafted Extended Features bitfield payload and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsESP-WROVER-KIT: All versions
ESP-IDF: 0.9 - 4.3.1
External linkshttp://asset-group.github.io/disclosures/braktooth/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Buffer overflow
EUVDB-ID: #VU56310
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-28136
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the Bluetooth Classic implementation does not properly handle the reception of multiple LMP_IO_Capability_req packets during the pairing process. A remote attacker in radio range can send a specially crafted LMP packet, trigger memory corruption and cause a denial of service condition on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsESP-WROVER-KIT: All versions
ESP-IDF: 0.9 - 4.3.1
External linkshttp://asset-group.github.io/disclosures/braktooth/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU56311
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-28135
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the Bluetooth Classic implementation does not properly handle the reception of continuous unsolicited LMP responses. A remote attacker in radio range can send LMP Feature Response data and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsESP-WROVER-KIT: All versions
ESP-IDF: 0.9 - 4.3.1
External linkshttp://asset-group.github.io/disclosures/braktooth/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU56312
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-28155
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the Bluetooth Classic implementation does not properly handle the reception of continuous unsolicited LMP responses. A remote attacker in radio range can send LMP Feature Response data and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsESP-WROVER-KIT: All versions
ESP-IDF: 0.9 - 4.3.1
External linkshttp://asset-group.github.io/disclosures/braktooth/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU56313
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-31717
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the Bluetooth Classic implementation does not properly handle the reception of continuous unsolicited LMP responses. A remote attacker in radio range can send LMP Feature Response data and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsESP-WROVER-KIT: All versions
ESP-IDF: 0.9 - 4.3.1
External linkshttp://asset-group.github.io/disclosures/braktooth/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
