Espressif Systems Information for VU#228519
Wi-Fi Protected Access (WPA) handshake traffic can be manipulated to induce nonce and session key reuse
- Vendor Information Help Date Notified: 22 Sep 2017
- Statement Date: 13 Oct 2017
- Date Updated: 13 Oct 2017
Our products ESP8266 and ESP32 are affected by the vulnerability identified as VU#228519.
For ESP32, we have made remediation in ESP-IDF v2.1.1 on Github. ESP32 which uses ESP-IDF v2.1.1 or later than v2.1.1 will not be affected by this vulnerability.
For ESP8266, we have updated both RTOS SDK and NONOS SDK on Github on October 13, 2017. ESP8266 which uses RTOS SDK or NONOS SDK after October 13, 2017 will not be affected by this vulnerability.
We strongly recommend that users update their ESP-IDF, ESP8266 RTOS SDK and ESP8266 NONOS SDK to the latest version to avoid being affected by this vulnerability.
For ESP8089 and ESP8689, the supplicant protocol runs on the host side. So, whether they are affected by this vulnerability depends on which host is used. But we also recommend that users update their host to fix this vulnerability.
The updates of ESP-IDF, ESP8266 RTOS SDK and ESP8266 NONOS SDK can be found on the following website:
ESP8266 RTOS SDK: https://github.com/espressif/ESP8266_RTOS_SDK
ESP8266 NONOS SDK: https://github.com/espressif/ESP8266_NONOS_SDK
We are not aware of further vendor information regarding this vulnerability.
There are no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.