CVE-2018-18558 - OpenCVE

An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory.

No CVSS v3.1

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:M/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Espressif	Esp-idf

Configuration 1 [-]

OR	cpe:2.3:a:espressif:esp-idf::::::::
	cpe:2.3:a:espressif:esp-idf::::::::

References

Link	Resource
https://github.com/espressif/esp-idf/releases	Release Notes Third Party Advisory
https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-05-13T12:49:59

Updated: 2019-05-13T12:49:59

Reserved: 2018-10-22T00:00:00

Link: CVE-2018-18558

JSON object: View

NVD Information

Status : Modified

Published: 2019-05-13T13:29:02.103

Modified: 2023-11-07T02:55:19.017

Link: CVE-2018-18558

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-13T12:49:59", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/releases"}, {"tags": ["x_refsource_MISC"], "url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18558", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/espressif/esp-idf/releases", "refsource": "MISC", "url": "https://github.com/espressif/esp-idf/releases"}, {"name": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_(CVE-2018-18558)", "refsource": "MISC", "url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_(CVE-2018-18558)"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18558", "datePublished": "2019-05-13T12:49:59", "dateReserved": "2018-10-22T00:00:00", "dateUpdated": "2019-05-13T12:49:59", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*", "matchCriteriaId": "A16A6B0D-D949-4CD3-B16B-66B56E381F6C", "versionEndExcluding": "3.0.6", "versionStartIncluding": "2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*", "matchCriteriaId": "B969656A-0BC9-4869-96FE-0D08C9EBB83D", "versionEndIncluding": "3.1.1", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Espressif ESP-IDF versi\u00f3n 2.x y versi\u00f3n 3.x anterior a 3.0.6 y versi\u00f3n 3.1.x anterior a 3.1.1. La comprobaci\u00f3n insuficiente de los datos de entrada en el gestor de arranque de la segunda etapa permite que un atacante f\u00edsicamente pr\u00f3ximo omita las comprobaciones de arranque seguras y ejecute c\u00f3digo arbitrario, creando un binario de aplicaci\u00f3n que sobrescriba un segmento de c\u00f3digo del gestor de arranque en el par\u00e1metro process_segment en el archivo components/bootloader_support/src/esp_image_format.c. El ataque es exitoso cuando la funci\u00f3n de cifrado flash est\u00e1 inhabilitada, o si el atacante encuentra una vulnerabilidad distinta que le permite escribir este binario en la memoria flash."}], "id": "CVE-2018-18558", "lastModified": "2023-11-07T02:55:19.017", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-13T13:29:02.103", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/espressif/esp-idf/releases"}, {"source": "cve@mitre.org", "url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}