SB2024032593 - Time-of-check Time-of-use (TOCTOU) Race Condition in ESP-IDF

Description

This security bulletin contains information about 1 vulnerability.

1) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-28183)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows an attacker with physical access to bypass anti-rollback protection.

The vulnerability exists due to a time-of-check time-of-use race condition in the ESP-IDF bootloader anti-rollback scheme when verifying and loading the application from flash. An attacker with physical access can carefully modify flash contents after the anti-rollback checks and before the application is loaded to bypass anti-rollback protection.

In the presence of flash encryption, exploitation can allow booting a past passive application partition with a lower security version from the same device.

Remediation

Install update from vendor's website.

References

• https://github.com/espressif/esp-idf/security/advisories/GHSA-22x6-3756-pfp8
• https://github.com/espressif/esp-idf/commit/3305cb4d235182067936f8e940e6db174e25b4b2