Espressif ESP-IDF Integer Underflow Vulnerability in ESP-NOW Protocol Allowing Remote Code Execution

A vulnerability has been identified in the Espressif Internet of Things Development Framework (ESP-IDF) versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6. The issue arises from an integer underflow in the ESP-NOW protocol implementation within the ESP Wi-Fi component, caused by inadequate validation of user-supplied data lengths in the packet reception function. This vulnerability can lead to out-of-bounds memory access and arbitrary memory write operations. On systems lacking a memory protection scheme, such behavior could potentially be exploited to achieve remote code execution on the affected device.

Impact

Exploitation of this vulnerability can result in out-of-bounds memory access and arbitrary memory writes, with the potential for remote code execution on devices without memory protection.

Remediation

Users are advised to upgrade to ESP-IDF versions 5.4.2, 5.3.4, 5.2.6, or 5.1.7, which include the necessary patch. For ESP-IDF v5.3 and earlier, a workaround involves validating that the 'data_len' parameter in the ESP-NOW receive callback is positive before processing. No application-level workaround is available for ESP-IDF v5.4 and later.