Skip to content

AES/CBC Constant IV Vulnerability in ESPTouch v2

Moderate
mahavirj published GHSA-wm57-466g-mhrr Dec 11, 2024

Package

ESPTouch v2 (ESP-IDF)

Affected versions

v5.3.1
v5.2.3
v5.1.5
v5.0.7

Patched versions

v5.3.2
v5.2.4 (yet-to-release)
v5.1.6 (yet-to-release)
v5.0.8 (yet-to-release)

Description

Software component

ESP Wi-Fi Component:

ESPTouch Phone Apps Source:

Impact

In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector). The IV is set to zero and remains constant throughout the product's lifetime.
In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage.

Patches

To address the aforementioned issues, the application generates a random IV when activating the AES key. This IV is then transmitted along with the provisioning data to the provisioning device.

The provisioning device has also been equipped with a parser for the AES IV.

Patched versions of ESP-IDF Framework are listed below:

Branch Commit
master <8fb28dc>
release/v5.3 <fd224e8>
release/v5.2 <d47ed7d>
release/v5.1 <4f85a27>
release/v5.0 <de69895>

Workarounds

The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.

Severity

Moderate

CVE ID

CVE-2024-53845

Weaknesses

Generation of Weak Initialization Vector (IV)

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive. Learn more on MITRE.

Credits