Software Component
ESP BLE Mesh: https://github.com/espressif/esp-idf/tree/master/components/bt/esp_ble_mesh
Documentation: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/bluetooth/esp-ble-mesh.html
Impact
In Espressif’s Bluetooth Mesh SDK (ESP-BLE-MESH), a memory corruption vulnerability can be triggered during provisioning, because there is no check for the SegN field of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system.
Normally there are two fields in the Transaction Start PDU that need to be checked, i.e., the TotalLength field and the SegN field. Since we only checked the TotalLength field, an attacker can send a Provisioning PDU with an invalid SegN field, which will cause the message handled by the firmware to be much larger than the current buffer could store, thus causing a memory corruption issue to global buffer.
Patches
Patched versions of ESP-IDF Framework are listed below:
Workarounds
The upgrade is applicable for all applications and users of ESP-BLE-MESH component from ESP-IDF. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.
References
None Applicable
Credits
We would like to thank Han Yan, Lewei Qu and Dongxiang Ke from Baidu AIoT Security Team for reporting this vulnerability and following up on responsible disclosure.
Software Component
ESP BLE Mesh: https://github.com/espressif/esp-idf/tree/master/components/bt/esp_ble_mesh
Documentation: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/bluetooth/esp-ble-mesh.html
Impact
In Espressif’s Bluetooth Mesh SDK (
ESP-BLE-MESH), a memory corruption vulnerability can be triggered during provisioning, because there is no check for theSegNfield of the Transaction Start PDU. This can result in memory corruption related attacks and potentially attacker gaining control of the entire system.Normally there are two fields in the Transaction Start PDU that need to be checked, i.e., the
TotalLengthfield and theSegNfield. Since we only checked theTotalLengthfield, an attacker can send a Provisioning PDU with an invalidSegNfield, which will cause the message handled by the firmware to be much larger than the current buffer could store, thus causing a memory corruption issue to global buffer.Patches
Patched versions of ESP-IDF Framework are listed below:
Workarounds
The upgrade is applicable for all applications and users of
ESP-BLE-MESHcomponent fromESP-IDF. As it is implemented in the Bluetooth Mesh stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.References
None Applicable
Credits
We would like to thank Han Yan, Lewei Qu and Dongxiang Ke from Baidu AIoT Security Team for reporting this vulnerability and following up on responsible disclosure.