Arduino-ESP32 HTTP Response Splitting Vulnerability

A HTTP response splitting vulnerability has been identified in the Arduino core for ESP32, specifically in versions through 3.3.0-alpha1 and 3.2.0. The issue arises in the `sendHeader` function, which lacks proper validation or sanitization of the HTTP header name and value inputs. This vulnerability allows attackers to inject carriage return or line feed characters, potentially leading to the injection of additional headers, manipulation of the HTTP response structure, or confusion of HTTP headers, with the possibility of causing cross-site scripting or other HTTP protocol-related attacks.

Impact

Exploitation of this vulnerability allows for HTTP response splitting, which can lead to cross-site scripting, cache poisoning, session fixation, or bypassing CORS and security headers. Additionally, it can cause general protocol violations by introducing invalid HTTP headers or malformed responses, disrupting client interactions or facilitating further attacks.

Reproduction

To reproduce this vulnerability, send a request that includes injected carriage return or line feed characters in the HTTP header name or value. This can be done by manipulating the input to the `sendHeader` function, either directly or indirectly, such as through a web application that uses this function to send HTTP headers.

Remediation

This vulnerability has been patched in Arduino-ESP32 versions 3.3.0-RC1 and 3.2.1. Users should update to these versions to address the issue.