Espressif ESP-IDF WPS Enrollee Fragment Integer Underflow Vulnerability

A vulnerability in the WPS (Wi-Fi Protected Setup) Enrollee implementation of the Espressif Internet of Things Development Framework has been identified. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.5, and 5.1.6, malformed EAP-WSC packets with truncated payloads can cause an integer underflow during fragment length calculation. This underflow occurs when the EAP Length field does not include the expected payload, leading to a negative fragment length that is improperly cast to a large unsigned value. The issue can be exploited to create a heap buffer overflow, memory corruption, and potentially allow arbitrary code execution. Additionally, in the non-fragmented code path, the vulnerability can cause memory exhaustion and a device reset by triggering a large memory allocation that overwhelms system resources.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to memory corruption. This can result in a device crash or allow arbitrary code execution. The vulnerability also causes a denial-of-service condition by exhausting memory resources, causing the device to reset.

Reproduction

To reproduce this vulnerability, initiate a WPS pairing process (either PBC or PIN mode) on a device running an affected version of the Espressif ESP-IDF. An attacker within Wi-Fi range can then send malformed EAP-WSC packets that exploit the vulnerability by truncating the payload, causing an integer underflow in the fragment length calculation. This can be done by manipulating the EAP Length field to cover only the header and flags, while omitting the expected payload, such as the Message Length field when the WPS_MSG_FLAG_LEN is set.

Remediation

The vulnerability has been patched in Espressif ESP-IDF versions 5.5.3, 5.4.4, 5.3.5, 5.2.6, and 5.1.7. Users should update to one of these versions to address the vulnerability.