8000 Mitigate CVE-2020-12638 WiFi WPA Downgrade by OttoWinter · Pull Request #1207 · esphome/esphome · GitHub
[go: up one dir, main page]
Skip to content

Mitigate CVE-2020-12638 WiFi WPA Downgrade #1207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jul 27, 2020
Merged

Mitigate CVE-2020-12638 WiFi WPA Downgrade #1207

merged 6 commits into from
Jul 27, 2020

Conversation

OttoWinter
Copy link
Member
@OttoWinter OttoWinter commented Jul 27, 2020
edited
Loading

Description:

Got contacted by @s00500 about a CVE for ESP8266/ESP32 where sending a specially crafted beacon frame during an active wifi connection can downgrade encrypted connections to open ones.

See also https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors and esp8266/Arduino#7486

TODO:

  • Test nothing breaks (when does AUTHMODE_CHANGE event occur, also during connecting?)
  • Is the check exhaustive enough? Couldn't this be used to also downgrade to WEP, and then break that? I will have to look at how WEP attacks work (if it's during handshake phase or later)
  • Test the mitigation actually works (not sure if I'll be able to do that, I don't have the hardware around to create wifi packets in promiscuous mode)

Related issue (if applicable): fixes

Pull request in esphome-docs with documentation (if applicable): esphome/esphome-docs#

Checklist:

  • The code change is tested and works locally.
  • Tests have been added to verify that the new code works (under tests/ folder).

If user exposed functionality or configuration variables are added/changed:

OttoWinter and others added 2 commits July 27, 2020 13:26
@OttoWinter @s00500
Mitigate CVE-2020-12638 WiFi WPA Downgrade
44ef7fb 
Co-authored-by: Lukas Bachschwell <lukas@lbsfilm.at>
@OttoWinter
Fixes
21fceb4
@OttoWinter OttoWinter added this to the 1.15.0b2 milestone Jul 27, 2020
@OttoWinter OttoWinter changed the title Bump version to v1.13.0b1 Mitigate CVE-2020-12638 Jul 27, 2020
@OttoWinter OttoWinter changed the title Mitigate CVE-2020-12638 Mitigate CVE-2020-12638 WiFi WPA Downgrade Jul 27, 2020
@OttoWinter
Copy link
Member Author
OttoWinter commented Jul 27, 2020
edited
Loading

Ok so I tested with the following config:

wifi:
  networks:
    - ssid: 'Open Network'
      priority: 100
    - ssid: 'WPA2 Network'
      password: 'the_password'

Steps:

  • ESP connects to Open Network (due to high priority)
  • Turn open network AP off -> ESP connects to WPA2 network
  • Enable open network again (ESP doesn't rescan yet)
  • Disable WPA2 network. ESP scans for new networks again
  • When connecting to "Open Network", I see the message Potential Authmode downgrade detected, disconnecting.., even though it's not this attack, and disconnects. The second time it tries to connect it works though.

This is because the code doesn't know if it was previously connected or not. I won't fix that at this time because it's a minor annoyance that few people will experience (having multiple networks with different auth mode is unlikely).

Also, something's up with GH actions today, the CI / test (test 1) job is running on the "Fix Typo" commit, not the latest one.

@OttoWinter OttoWinter merged commit 389889a into dev Jul 27, 2020
@OttoWinter OttoWinter deleted the mitigate-cve-2020-12638 branch July 27, 2020 16:22
OttoWinter added a commit that referenced this pull request Jul 28, 2020
@OttoWinter @s00500
Mitigate CVE-2020-12638 WiFi WPA Downgrade (#1207)
8000
08c8fa2 
Co-authored-by: Lukas Bachschwell <lukas@lbsfilm.at>
This was referenced Jul 28, 2020
Merged
Merged
rspaargaren pushed a commit to rspaargaren/esphome that referenced this pull request Jul 30, 2020
@OttoWinter @s00500 @rspaargaren
Mitigate CVE-2020-12638 WiFi WPA Downgrade (esphome#1207)
27b3056 
Co-authored-by: Lukas Bachschwell <lukas@lbsfilm.at>
sashao pushed a commit to sashao/esphome that referenced this pull request Oct 23, 2020
@OttoWinter @s00500 @sashao
Mitigate CVE-2020-12638 WiFi WPA Downgrade (esphome#1207)
0e9a5e0 
Co-authored-by: Lukas Bachschwell <lukas@lbsfilm.at>
@github-actions github-actions bot locked and limited conversation to collaborators Sep 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
cherry-picked component: wifi core security small-pr
Projects
None yet
Milestone
1.15.0b2
Development

Successfully merging this pull request may close these issues.
1 participant
@OttoWinter
0