Espressif Systems Information for VU#228519

Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse

Status

Affected

Vendor Statement

Our products ESP8266 and ESP32 are affected by the vulnerability identified as VU#228519.

    For ESP32, we have made remediation in ESP-IDF v2.1.1 on Github. ESP32 which uses ESP-IDF v2.1.1 or later than v2.1.1 will not be affected by this vulnerability.

    For ESP8266, we have updated both RTOS SDK and NONOS SDK on Github on October 13, 2017. ESP8266 which uses RTOS SDK or NONOS SDK after October 13, 2017 will not be affected by this vulnerability.

    We strongly recommend that users update their ESP-IDF, ESP8266 RTOS SDK and ESP8266 NONOS SDK to the latest version to avoid being affected by this vulnerability.

    For ESP8089 and ESP8689, the supplicant protocol runs on the host side. So, whether they are affected by this vulnerability depends on which host is used. But we also recommend that users update their host to fix this vulnerability.

    The updates of ESP-IDF, ESP8266 RTOS SDK and ESP8266 NONOS SDK can be found on the following website:
    ESP-IDF: https://github.com/espressif/esp-idf
    ESP8266 RTOS SDK: https://github.com/espressif/ESP8266_RTOS_SDK
    ESP8266 NONOS SDK: https://github.com/espressif/ESP8266_NONOS_SDK

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    https://github.com/espressif/esp-idf

https://github.com/espressif/ESP8266_RTOS_SDK
https://github.com/espressif/ESP8266_NONOS_SDK

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.