CVE-2019-12587
Last modified
CVE-2019-12587 is a vulnerability of currently unknown severity. The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames via a rogue access point.. EPSS estimates a 0.80% chance of exploitation in the next 30 days.
Description
The EAP peer implementation in Espressif ESP-IDF 2.0.0 through 4.0.0 and ESP8266_NONOS_SDK 2.2.0 through 3.1.0 allows the installation of a zero Pairwise Master Key (PMK) after the completion of any EAP authentication method, which allows attackers in radio range to replay, decrypt, or spoof frames via a rogue access point.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Espressif | Esp-Idf | >= 2.0.0, <= 4.0.0 |
| Espressif | Esp8266 Nonos Sdk | >= 2.2.0, <= 3.1.0 |
References
- https://github.com/Matheus-Garbelini/esp32_esp8266_attacksExploit, Third Party Advisory
- https://github.com/espressifProduct
- https://matheus-garbelini.github.io/home/post/zero-pmk-installation/Patch, Third Party Advisory
- https://github.com/Matheus-Garbelini/esp32_esp8266_attacksExploit, Third Party Advisory
- https://github.com/espressifProduct
- https://matheus-garbelini.github.io/home/post/zero-pmk-installation/Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-12587?
How severe is CVE-2019-12587?
How do I fix CVE-2019-12587?
Are you affected by CVE-2019-12587?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST