Technical Advisory: Espressif Systems - ESP32 BluFi Reference Application Vulnerabilities

Vendor: Espressif Systems

Vendor URL: https://www.espressif.com/ 

Versions affected: ESP-IDF versions 5.0.7, 5.1.5, 5.2.3, and 5.3.1 (latest supported release versions at time of submission; others likely)

Systems Affected: ESP32 / ESP-IDF 

Author: James Chambers

Advisory URL / CVE Identifier: None (Vendor declined to create advisory or assign CVEs)

Risk: High (arbitrary code execution over wireless interfaces)

Summary:

BluFi allows users to configure an ESP32 device with WiFi network credentials using a Bluetooth interface. NCC Group has discovered several memory corruption vulnerabilities and cryptographic weaknesses in the reference ESP32 BluFi application, which is copied into many projects that make use of the BluFi interface for easy WiFi configuration.

Location:

ESP-IDF BluFi Reference Application (https://github.com/espressif/esp-idf/tree/master/examples/bluetooth/blufi)

Impact:

An attacker can achieve arbitrary code execution on an ESP32 device via the Bluetooth interface, and/or discover secret information on the device or Bluetooth channel such as WiFi network credentials.

Details:

See the report submitted to Espressif Systems for full vulnerability details. 

Recommendations:

See the report linked above for NCC Group's recommendations on how to fix specific vulnerabilities.

Patches for the memory corruption issues are available in the following branches of the official esp-idf repository:

• master: 3fc6c93936077cb1659e1f0e0268e62cf6423e9d
• v5.4: 5f93ec3b11b6115475c34de57093b3672d594e8f
• v5.3: f40aa9c587a8e570dfde2e6330382dcd170d5a5d
• v5.2: bf50c0c197af30990026c8f8286298d2aa5a3c99
• v5.1: b1657d9dd4d0e48ed25e02cb8fe8413f479a2a84
• v5.0: cc00e9f2fc4f7e8fbaff27851b4a8b45fa483501

Vendor Communication:

• November 12, 2024 - Submitted vulnerability disclosure to Espressif's bug bounty email address (bugbounty@espressif.com)
• November 14, 2024 - Espressif acknowledges receipt
• November 22, 2024 - Espressif provides proposed patch for "Buffer Overflows in WiFi Credential Setting Commands" 
• November 22, 2024 - NCC Group provides feedback and corrections for patch
• December 20, 2024 - Espressif provides responses to all issues as well as proposed patches for memory corruption vulnerabilities
• December 20, 2024 - NCC Group provides feedback and corrections for patches
• January 6, 2025 - Espressif asks for any further comments
• January 15, 2025 - NCC Group suggests adding further guidance on cryptographic concerns to BluFi documentation
• January 23, 2025 - Espressif publishes first round of patches to GitHub (https://github.com/espressif/esp-idf/commit/12b7a9e6d78012ab9184b7ccdb5524364bf7e345), informs NCC Group they do not consider the bugs to be security vulnerabilities and are therefore ineligible for the bug bounty program
• January 24, 2025 - NCC Group informs vendor of intent to publish and asks for clarification on whether any advisory or CVE will be issued
• January 24, 2025 - Espressif responds that they do not plan to issue any advisory or apply for CVEs 
• January 28, 2025 - NCC Group informs vendor of bugs in patch published on the 23rd
• February 12, 2025 - Espressif responds they have published new patches after reviewing feedback (https://github.com/espressif/esp-idf/commit/f40aa9c587a8e570dfde2e6330382dcd170d5a5d)