CVE-2021-28139 - OpenCVE

The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Adjacent Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:A/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Espressif	Esp-idf Esp32

Configuration 1 [-]

AND

cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*

cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://dl.packetstormsecurity.net/papers/general/braktooth.pdf
https://github.com/espressif/esp-idf
https://github.com/espressif/esp32-bt-lib
https://www.espressif.com/en/products/socs/esp32

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-09-07T06:27:53

Updated: 2024-08-03T21:33:17.547Z

Reserved: 2021-03-11T00:00:00

Link: CVE-2021-28139

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-09-07T07:15:06.877

Modified: 2021-09-09T23:30:21.467

Link: CVE-2021-28139

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-09-07T06:27:53", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp-idf"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/espressif/esp32-bt-lib"}, {"tags": ["x_refsource_MISC"], "url": "https://www.espressif.com/en/products/socs/esp32"}, {"tags": ["x_refsource_MISC"], "url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-28139", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/espressif/esp-idf", "refsource": "MISC", "url": "https://github.com/espressif/esp-idf"}, {"name": "https://github.com/espressif/esp32-bt-lib", "refsource": "MISC", "url": "https://github.com/espressif/esp32-bt-lib"}, {"name": "https://www.espressif.com/en/products/socs/esp32", "refsource": "MISC", "url": "https://www.espressif.com/en/products/socs/esp32"}, {"name": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf", "refsource": "MISC", "url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:33:17.547Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/espressif/esp-idf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/espressif/esp32-bt-lib"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.espressif.com/en/products/socs/esp32"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-28139", "datePublished": "2021-09-07T06:27:53", "dateReserved": "2021-03-11T00:00:00", "dateUpdated": "2024-08-03T21:33:17.547Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:espressif:esp-idf:*:*:*:*:*:*:*:*", "matchCriteriaId": "EFF8C3F9-F42A-48FF-ADBF-E09B7D7B5550", "versionEndIncluding": "4.4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:espressif:esp32:-:*:*:*:*:*:*:*", "matchCriteriaId": "D1024B06-380B-4116-B7F9-A21A03534B0C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Bluetooth Classic implementation in Espressif ESP-IDF 4.4 and earlier does not properly restrict the Feature Page upon reception of an LMP Feature Response Extended packet, allowing attackers in radio range to trigger arbitrary code execution in ESP32 via a crafted Extended Features bitfield payload."}, {"lang": "es", "value": "La implementaci\u00f3n de Bluetooth Classic en Espressif ESP-IDF versiones 4.4 y anteriores, no restringe apropiadamente la P\u00e1gina de Funcionalidades tras la recepci\u00f3n de un paquete LMP de Funci\u00f3n de Respuesta Ampliada, permitiendo a atacantes en el rango de radio desencadenar una ejecuci\u00f3n de c\u00f3digo arbitrario en ESP32 por medio de una carga de bits de Funcionalidades Ampliadas dise\u00f1ada"}], "id": "CVE-2021-28139", "lastModified": "2021-09-09T23:30:21.467", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:A/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.5, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-07T07:15:06.877", "references": [{"source": "cve@mitre.org", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://dl.packetstormsecurity.net/papers/general/braktooth.pdf"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/espressif/esp-idf"}, {"source": "cve@mitre.org", "tags": ["Product", "Third Party Advisory"], "url": "https://github.com/espressif/esp32-bt-lib"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.espressif.com/en/products/socs/esp32"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}