Espressif ESP-IDF BLE Provisioning Transport Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Bluetooth Low Energy (BLE) provisioning transport layer of the Espressif Internet of Things Development Framework (ESP-IDF). This vulnerability is present in versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6. The issue arises when a remote BLE client interacts with the device while it is in provisioning mode, and the 'keep_ble_on' flag is set to true. In this scenario, the internal state and GATT metadata of the BLE provisioning transport are freed, but the BLE stack and GATT services remain active. This leads to a situation where subsequent BLE read or write operations can access invalid memory, potentially causing heap corruption or allowing control flow hijacking in more advanced exploitation cases.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition, heap corruption, or, in advanced cases, control flow hijacking.

Reproduction

The vulnerability can be reproduced by connecting a remote BLE client to a device running an affected version of ESP-IDF that is in provisioning mode, with the 'keep_ble_on' flag set to true. This can be done by initiating a BLE provisioning session and then performing read or write operations through the GATT interface, which will trigger the use-after-free condition by accessing freed memory.

Remediation

Users can upgrade to ESP-IDF versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, or 5.1.7, where this vulnerability has been patched. If an upgrade is not possible, the 'keep_ble_on' option can be disabled to prevent the vulnerability, although this will stop BLE services during provisioning.