Arduino-ESP32 WebServer Digest Authentication Bypass Vulnerability Allowing Cross-Resource Replay Attack

A vulnerability exists in the Arduino core for ESP32 microcontrollers, specifically in versions prior to 3.3.8. The issue arises in the WebServer library's Digest authentication implementation, which incorrectly computes the authentication hash using the URI from the client's Authorization header without verifying its accuracy against the actual requested URI. This flaw enables an attacker with a valid digest response (from one URI) to authenticate requests to a different protected URI, effectively bypassing access controls. The vulnerability is rooted in a failure to adhere to RFC 7616, which mandates that the server verify the URI in the Authorization header before accepting the digest response.

Impact

Exploitation of this vulnerability allows an attacker to replay a valid Digest response from one URI to another, bypassing access controls and potentially escalating privileges, especially in applications with mixed public and admin-only endpoints.

Reproduction

To reproduce this vulnerability, deploy an Arduino-ESP32 sketch that protects an endpoint with Digest authentication, such as '/admin'. An attacker can then obtain a valid digest response for a low-privilege URI (like '/api/public') and use it to access the admin-only endpoint, bypassing the authentication requirement.

Remediation

Users can upgrade to Arduino-ESP32 version 3.3.8 or later, where this vulnerability has been fixed.