Espressif Releases Patches for WiFi Vulnerabilities (CERT VU#228519)

Oct 16, 2017

Several critical key-management vulnerabilities in the WPA2 security protocol have been discovered. Espressif is hereby releasing patches for these vulnerabilities.
The recently discovered vulnerabilities in the Wi-Fi Protected Access II protocol (WPA2) are of critical security level. These vulnerabilities, also known as KRACK (Key Reinstallation Attack), allow users' internet connections to be hijacked or eavesdropped, while malicious packet injections may also occur.
These vulnerabilities were specified in detail by the United States' Computer Emergency Readiness Team in CERT VU#228519, a note that was originally released on October 16th, 2017The following CVE IDs have been assigned to document the above-mentioned vulnerabilities in the WPA2 protocol: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087 and CVE-2017-13088. 
These vulnerabilities affected the ESP8266 WiFi support and the ESP32 ESP-IDF WiFi support, including released versions v1.0, v2.0 and v2.1. However, Espressif has already fixed them in the following ESP-IDF and ESP8266 versions:
  • release/v2.1  (ESP-IDF) branch, since commit b6c91ce088ef64bd5b96a5af04885040b42b1816; it will appear in the forthcoming V2.1.1 release.
  • master branch (ESP-IDF), since commit 904d6c8f2b01de52597b9e16dad19c78ade9e586; it will appear in the forthcoming V3.0 release.
  • ESP8266 RTOS (ESP8266) master branch, since commit 2fab9e23d779cdd6e5900b8ba2b588e30d9b08c4. 
  • ESP8266 NON-OS (ESP8266) master branch, since commit b762ea222ee94b9ffc5e040f4bf78dd8ba4db596.
Additionally, Arduino ESP32 has been updated accordingly and the relevant link can be found here. Therefore, all Espressif chipset users are strongly encouraged to upgrade their systems as soon as possible.
Many thanks to IT security researcher Mathy Vanhoef, who is a member of the imec-DistriNet group at KU Leuven University, for reporting this issue in the first place. You can find more information about his work on these vulnerabilities here.
  • News
    The launch of our new products ESP32-PICO-D4 and ESP32-PICO-KIT on November 2nd at the AWS Pop-up Loft was attended by an enthusiastic audience in San Francisco.
  • News
    The world’s first ESP8266 IoT contest, organized by Espressif, myDevices, SparkFun and was one of the most successful community IoT competitions to date.
  • News
    Mongoose OS, an Operating System for connected products and Internet-of-Things applications, provides the ESP community with an easy way to develop their connected products in JavaScript or C.