Espressif ESP-IDF up to 4.4.6/5.0.6/5.1.3/5.2.0 Anti-Rollback Protection toctou

Summaryinfo

A vulnerability, which was classified as problematic, has been found in Espressif ESP-IDF up to 4.4.6/5.0.6/5.1.3/5.2.0. This affects an unknown function of the component Anti-Rollback Protection. This manipulation causes toctou. This vulnerability is handled as CVE-2024-28183. It is feasible to perform the attack on the physical device. There is not any exploit available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Espressif ESP-IDF up to 4.4.6/5.0.6/5.1.3/5.2.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Anti-Rollback Protection. The manipulation with an unknown input leads to a toctou vulnerability. The CWE definition for the vulnerability is CWE-367. The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip. This attack can allow to boot past (passive) application partition having lower security version of the same device even in the presence of the flash encryption scheme. The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (before loading the application). The vulnerability is fixed in 4.4.7 and 5.2.1.

The advisory is shared at github.com. This vulnerability is known as CVE-2024-28183 since 03/06/2024. The exploitation appears to be easy. An attack has to be approached locally. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available.

Upgrading to version 4.4.7 or 5.2.1 eliminates this vulnerability. Applying the patch 3305cb4d235182067936f8e940e6db174e25b4b2 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• Espressif

Name

• ESP-IDF

Version

• 4.4.0
• 4.4.1
• 4.4.2
• 4.4.3
• 4.4.4
• 4.4.5
• 4.4.6
• 5.0
• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4
• 5.0.5
• 5.0.6
• 5.1
• 5.1.0
• 5.1.1
• 5.1.2
• 5.1.3
• 5.2.0

License

• open-source

Website

• Product: https://github.com/espressif/esp-idf/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion