Espressif ESP-IDF Out-of-Bounds Read Vulnerability in BLE Provisioning Transport

A vulnerability allowing out-of-bounds read has been identified in the Espressif Internet of Things Development Framework (ESP-IDF) versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6. The issue resides in the Bluetooth Low Energy (BLE) Attribute Protocol's Prepare Write handling within the BLE provisioning transport component. This vulnerability can be exploited by a remote BLE client while the device is in provisioning mode. The transport improperly managed the cumulative length of prepared-write fragments in a fixed-size buffer, leading to a scenario where the reported length could exceed the allocated buffer size. By sending overlapping prepare write requests, a remote client could cause the length to inflate beyond the buffer's capacity, triggering an out-of-bounds read and potential memory corruption during the execution of write operations.

Impact

Exploitation of this vulnerability can cause a denial-of-service, heap corruption, or system instability.

Reproduction

The vulnerability can be reproduced by sending repeated prepare write requests with overlapping offsets to a device in provisioning mode. This can be done using a Bluetooth Low Energy client that is capable of sending such requests, targeting the 'protocomm_ble' transport of the ESP-IDF framework.

Remediation

Users can upgrade to Espressif ESP-IDF versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, or 5.1.7, all of which include the necessary fix. Instructions for upgrading can be found in the ESP-IDF documentation.