Executive Summary

This vulnerability is a heap buffer overflow in the Espressif Internet of Things Development Framework (ESP-IDF), specifically in the Security Scheme 2 (SRP6a) session-setup path of the protocomm component.

The issue occurs because the function handle_session_command0() trusts the length of a client-supplied protobuf field for the SRP6a username and copies it into a buffer whose size is derived from a narrower destination type. This mismatch causes truncation-versus-copy asymmetry, leading to heap corruption when an oversized username is supplied.

An unauthenticated attacker within Bluetooth Low Energy (BLE) range can exploit this vulnerability during device provisioning to crash the device or corrupt heap data, causing denial of service.

The flaw is specific to BLE provisioning using Security Scheme 2 and does not affect other transports like HTTP/SoftAP or Bluedroid BLE, which enforce payload size limits.

This vulnerability has been patched in ESP-IDF versions 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker within BLE range to exploit the heap buffer overflow during device provisioning.

Exploitation can lead to device crashes or heap corruption, which may cause denial of service by disrupting normal device operation.

Because the vulnerability affects the integrity and availability of the device, it can result in service interruptions and potentially impact the reliability of IoT deployments using the affected ESP-IDF versions.

Mitigations include upgrading to patched versions, provisioning over SoftAP or HTTP instead of BLE, restricting the provisioning window, or disabling BLE provisioning after device setup.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your ESP-IDF framework to one of the patched versions: 5.2.7, 5.3.6, 5.4.5, 5.5.5, or 6.0.1.

If upgrading immediately is not possible, consider provisioning devices over SoftAP or HTTP transports instead of BLE, as the vulnerability only affects BLE provisioning with Security Scheme 2.

Additional temporary mitigations include restricting the provisioning window and disabling BLE provisioning after device setup to reduce exposure.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability exists in the protocomm Security Scheme 2 (SRP6a) session-setup path of the ESP-IDF framework when using Bluetooth Low Energy (BLE) provisioning. Detection involves monitoring for abnormal crashes or heap corruption events during BLE provisioning sessions, especially when using Security Scheme 2.

Since the vulnerability is triggered by an oversized client-supplied protobuf username field, detection can include checking for malformed or oversized payloads in BLE provisioning traffic targeting the device.

There are no explicit commands provided in the resources for direct detection of this vulnerability on a network or system.

However, general approaches to detect exploitation attempts could include:

• Monitoring device logs for crashes or heap corruption messages related to protocomm or security2.c during BLE provisioning.
• Using BLE traffic analysis tools (e.g., Wireshark with BLE plugins) to capture and inspect provisioning packets for abnormally large username fields in the SRP6a session setup.
• Employing fuzz testing or custom scripts to send oversized protobuf username fields to the device's BLE provisioning interface to verify if the device crashes or behaves unexpectedly.

For specific commands, none are detailed in the provided resources. Detection would rely on custom monitoring, logging, and network traffic inspection tailored to the device and environment.

Useful 0 Not Useful 0