SB20241211101 - Generation of Weak Initialization Vector (IV) in ESP-IDF

Description

This security bulletin contains information about 1 vulnerability.

1) Generation of Weak Initialization Vector (IV) (CVE-ID: CVE-2024-53845)

CWE-ID: CWE-1204 - Generation of Weak Initialization Vector (IV)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to generation of a weak initialization vector in the ESPTouch v2 protocol implementation in the ESP Wi-Fi component when encrypting provisioning data with AES/CBC. A remote attacker can observe deterministic ciphertext produced with a constant zero IV to disclose sensitive information.

The issue occurs when the optional custom AES key feature is used.

Remediation

Install update from vendor's website.

References

• https://github.com/espressif/esp-idf/security/advisories/GHSA-wm57-466g-mhrr
• https://github.com/espressif/esp-idf/commit/fd224e83bbf133833638b277c767be7f7cdd97c7