Impact
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip.
The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (and before loading the application). In presence of the flash encryption scheme, this attack can allow to boot only past (passive) application partition having lower security version of the same device.
Patches
Additional checks to harden the secure version verification of the application in anti-rollback case have been added to avoid any attempts to boot lower security version but valid application (e.g., passive partition image).
-
In the bootloader, now the secure_version is read during the application hash (SHA256) calculation stage and it is verified after application loading stage. This check happens before handling the final control to application.
-
Application startup code has been updated to ensure that the currently booting app has a equal or higher security version than the one programmed in the eFuse for anti-rollback scenario. This fix can also be deployed using OTA update for the existing devices.
Patched versions of ESP-IDF Framework are listed below:
Workarounds
Please consider updating to ESP-IDF release containing the fixes mentioned above. Alternatively, the fixes can also be cherry-picked in your codebase.
References
None applicable
Credits
We would like to thank Joseph Surin, elttam for reporting this vulnerability and following up on responsible disclosure.
Impact
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip.
The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (and before loading the application). In presence of the flash encryption scheme, this attack can allow to boot only past (passive) application partition having lower security version of the same device.
Patches
Additional checks to harden the secure version verification of the application in anti-rollback case have been added to avoid any attempts to boot lower security version but valid application (e.g., passive partition image).
In the bootloader, now the
secure_versionis read during the application hash (SHA256) calculation stage and it is verified after application loading stage. This check happens before handling the final control to application.Application startup code has been updated to ensure that the currently booting app has a equal or higher security version than the one programmed in the eFuse for anti-rollback scenario. This fix can also be deployed using OTA update for the existing devices.
Patched versions of ESP-IDF Framework are listed below:
Workarounds
Please consider updating to ESP-IDF release containing the fixes mentioned above. Alternatively, the fixes can also be cherry-picked in your codebase.
References
None applicable
Credits
We would like to thank Joseph Surin, elttam for reporting this vulnerability and following up on responsible disclosure.