Software Component
The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange.
Impact
The BluFi example in ESP-IDF contained memory overflow vulnerabilities in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange.
In the credential handling functions, strncpy was incorrectly used with the input length instead of the size of the destination buffer. This flaw allowed an attacker to overflow buffers located in global memory.
During the Diffie–Hellman key exchange, a fixed-size buffer was used to store the public key without validating its size against peer-supplied parameters. This could result in buffer overflows, leading to memory corruption or unexpected behavior.
Patches
The issues were addressed in the following commits:
Recommendations
- Upgrade to a BluFi application version that includes the fix. If you prefer not to upgrade, then you can cherry-pick the relevant fixes.
- The default encryption/decryption logic in this example is intended for demonstration purposes only. If you require a higher level of security, it is recommended to implement your own encryption, decryption, authentication, and checksum algorithms by customizing the security callbacks in the BluFi framework (see
esp_blufi_api.c).
References
Credits
We would like to thank the NCC Group for reporting this vulnerability and following up on responsible disclosure.
Software Component
The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange.
Impact
The BluFi example in ESP-IDF contained memory overflow vulnerabilities in two areas: Wi-Fi credential handling and Diffie–Hellman key exchange.
In the credential handling functions,
strncpywas incorrectly used with the input length instead of the size of the destination buffer. This flaw allowed an attacker to overflow buffers located in global memory.During the Diffie–Hellman key exchange, a fixed-size buffer was used to store the public key without validating its size against peer-supplied parameters. This could result in buffer overflows, leading to memory corruption or unexpected behavior.
Patches
The issues were addressed in the following commits:
Recommendations
esp_blufi_api.c).References
Credits
We would like to thank the NCC Group for reporting this vulnerability and following up on responsible disclosure.