CVE-2021-28139 - OpenCVE

The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:A/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Espressif	Esp-idf Esp32

Configuration 1 [-]

AND

cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*

cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*

References

Link	Resource
https://dl.packetstormsecurity.net/papers/general/braktooth.pdf	Technical Description Third Party Advisory
https://github.com/espressif/esp-idf	Product Third Party Advisory
https://github.com/espressif/esp32-bt-lib	Product Third Party Advisory
https://www.espressif.com/en/products/socs/esp32	Product Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-09-07T06:27:53

Updated: 2021-09-07T06:27:53

Reserved: 2021-03-11T00:00:00

Link: CVE-2021-28139

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-09-07T07:15:06.877

Modified: 2021-09-09T23:30:21.467

Link: CVE-2021-28139

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-07T06:27:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp32-bt-lib"}, {"tags": ["x_refsource_MISC"], "url": "https://www.espressif.com/en/products/socs/esp32"}, {"tags": ["x_refsource_MISC"], "url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28139", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/espressif/esp-idf", "refsource": "MISC", "url": "https://github.com/espressif/esp-idf"}, {"name": "https://github.com/espressif/esp32-bt-lib", "refsource": "MISC", "url": "https://github.com/espressif/esp32-bt-lib"}, {"name": "https://www.espressif.com/en/products/socs/esp32", "refsource": "MISC", "url": "https://www.espressif.com/en/products/socs/esp32"}, {"name": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf", "refsource": "MISC", "url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28139", "datePublished": "2021-09-07T06:27:53", "dateReserved": "2021-03-11T00:00:00", "dateUpdated": "2021-09-07T06:27:53", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFF8C3F9-F42A-48FF-ADBF-E09B7D7B5550", "versionEndIncluding": "4.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."}, {"lang": "es", "value": "La implementaci\u00f3n de Bluetooth Classic en Espressif ESP-IDF versiones 4.4 y anteriores, no restringe apropiadamente la P\u00e1gina de Funcionalidades tras la recepci\u00f3n de un paquete LMP de Funci\u00f3n de Respuesta Ampliada, permitiendo a atacantes en el rango de radio desencadenar una ejecuci\u00f3n de c\u00f3digo arbitrario en ESP32 por medio de una carga de bits de Funcionalidades Ampliadas dise\u00f1ada"}], "id": "CVE-2021-28139", "lastModified": "2021-09-09T23:30:21.467", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-07T07:15:06.877", "references": [{"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/espressif/esp-idf"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/espressif/esp32-bt-lib"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.espressif.com/en/products/socs/esp32"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}