The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.
References
Link | Resource |
---|---|
https://dl.packetstormsecurity.net/papers/general/braktooth.pdf | Technical Description Third Party Advisory |
https://github.com/espressif/esp-idf | Product Third Party Advisory |
https://github.com/espressif/esp32-bt-lib | Product Third Party Advisory |
https://www.espressif.com/en/products/socs/esp32 | Product Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-09-07T06:27:53
Updated: 2021-09-07T06:27:53
Reserved: 2021-03-11T00:00:00
Link: CVE-2021-28139
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-09-07T07:15:06.877
Modified: 2021-09-09T23:30:21.467
Link: CVE-2021-28139
JSON object: View
Redhat Information
No data.
CWE