Arduino ESP32 Cross-Site Request Forgery Vulnerability in OTA Update Process Allowing Remote Code Execution

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Arduino core for ESP32 microcontrollers, specifically in the Over-The-Air (OTA) update process. This issue affects versions prior to 3.2.1 and is present in several example sketches and the HTTPUpdateServer implementation. The vulnerability arises because the firmware update endpoints accept POST requests for firmware uploads without any CSRF protection. As a result, an attacker can exploit this weakness to upload and execute arbitrary firmware on the device, leading to remote code execution (RCE).

Impact

Exploitation of this vulnerability allows for remote code execution on the affected ESP32 device, with the potential for a complete compromise of the device's functionality and integrity.

Reproduction

To reproduce this vulnerability, upload a sketch to an ESP32 device that uses the HTTPUpdateServer library without CSRF protection. Once the device is running the vulnerable code, a user must be tricked into visiting a malicious website that sends a POST request to the device's update endpoint with a malicious firmware file. The absence of CSRF protection allows the request to be accepted and processed by the device, resulting in the execution of the uploaded firmware.

Remediation

Users are advised to update to version 3.2.1 or later, which addresses this vulnerability by implementing CSRF protection on the OTA update endpoints. Additionally, the updated version requires authentication for firmware uploads, further mitigating the risk of exploitation.