CVE-2018-18558 - Vulnerability Details - OpenCVE

An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory.

No CVSS v4.0

No CVSS v3.1

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Key SSVC decision points have not yet been added.

Vendors	Products
Espressif	Esp-idf

Configuration 1 [-]

OR	cpe:2.3:a:espressif:esp-idf::::::::
	cpe:2.3:a:espressif:esp-idf::::::::

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/espressif/esp-idf/releases
https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-05-13T12:49:59

Updated: 2024-08-05T11:15:58.936Z

Reserved: 2018-10-22T00:00:00

Link: CVE-2018-18558

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-05-13T13:29:02.103

Modified: 2024-11-21T03:56:09.217

Link: CVE-2018-18558

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-05-13T12:49:59", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf/releases"}, {"tags": ["x_refsource_MISC"], "url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-18558", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/espressif/esp-idf/releases", "refsource": "MISC", "url": "https://github.com/espressif/esp-idf/releases"}, {"name": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_(CVE-2018-18558)", "refsource": "MISC", "url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_(CVE-2018-18558)"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:15:58.936Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/espressif/esp-idf/releases"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-18558", "datePublished": "2019-05-13T12:49:59", "dateReserved": "2018-10-22T00:00:00", "dateUpdated": "2024-08-05T11:15:58.936Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*", "matchCriteriaId": "A16A6B0D-D949-4CD3-B16B-66B56E381F6C", "versionEndExcluding": "3.0.6", "versionStartIncluding": "2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*", "matchCriteriaId": "B969656A-0BC9-4869-96FE-0D08C9EBB83D", "versionEndIncluding": "3.1.1", "versionStartIncluding": "3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Espressif ESP-IDF 2.x and 3.x before 3.0.6 and 3.1.x before 3.1.1. Insufficient validation of input data in the 2nd stage bootloader allows a physically proximate attacker to bypass secure boot checks and execute arbitrary code, by crafting an application binary that overwrites a bootloader code segment in process_segment in components/bootloader_support/src/esp_image_format.c. The attack is effective when the flash encryption feature is not enabled, or if the attacker finds a different vulnerability that allows them to write this binary to flash memory."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Espressif ESP-IDF versi\u00f3n 2.x y versi\u00f3n 3.x anterior a 3.0.6 y versi\u00f3n 3.1.x anterior a 3.1.1. La comprobaci\u00f3n insuficiente de los datos de entrada en el gestor de arranque de la segunda etapa permite que un atacante f\u00edsicamente pr\u00f3ximo omita las comprobaciones de arranque seguras y ejecute c\u00f3digo arbitrario, creando un binario de aplicaci\u00f3n que sobrescriba un segmento de c\u00f3digo del gestor de arranque en el par\u00e1metro process_segment en el archivo components/bootloader_support/src/esp_image_format.c. El ataque es exitoso cuando la funci\u00f3n de cifrado flash est\u00e1 inhabilitada, o si el atacante encuentra una vulnerabilidad distinta que le permite escribir este binario en la memoria flash."}], "id": "CVE-2018-18558", "lastModified": "2024-11-21T03:56:09.217", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-13T13:29:02.103", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/espressif/esp-idf/releases"}, {"source": "cve@mitre.org", "url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/espressif/esp-idf/releases"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.espressif.com/en/news/Espressif_Product_Security_Advisory_Concerning_Secure_Boot_%28CVE-2018-18558%29"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}