CVE-2024-28183

Anti Rollback bypass with physical access and TOCTOU attack

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip. This attack can allow to boot past (passive) application partition having lower security version of the same device even in the presence of the flash encryption scheme. The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (before loading the application). The vulnerability is fixed in 4.4.7 and 5.2.1.

ESP-IDF es el framework de desarrollo para los SoC de Espressif compatibles con Windows, Linux y macOS. Se descubrió una vulnerabilidad de tiempo de verificación a tiempo de uso (TOCTOU) en la implementación del gestor de arranque ESP-IDF que podría permitir a un atacante con acceso físico a la memoria flash del dispositivo eludir la protección anti-retroceso. Anti-rollback evita el retroceso a una aplicación con una versión de seguridad inferior a la programada en eFuse del chip. Este ataque puede permitir arrancar más allá de la partición de la aplicación (pasiva) que tiene una versión de menor seguridad del mismo dispositivo, incluso en presencia del esquema de cifrado flash. El ataque requiere modificar cuidadosamente el contenido flash después de que el gestor de arranque haya realizado las comprobaciones anti-retroceso (antes de cargar la aplicación). La vulnerabilidad se solucionó en 4.4.7 y 5.2.1.

*Credits: N/A

CVSS Scores

GitHubv3.1 6.1

Attack Vector

Physical

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-06 CVE Reserved
2024-03-25 CVE Published
2024-03-26 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

CAPEC

References (8)

URL	Tag	Source
https://github.com/espressif/esp-idf/commit/3305cb4d235182067936f8e940e6db174e25b4b2	X_refsource_misc
https://github.com/espressif/esp-idf/commit/4c95aa445d4e84f01f86b6f3a552aa299276abf3	X_refsource_misc
https://github.com/espressif/esp-idf/commit/534e3ad1fa68526a5f989fb2163856d6b7cd2c87	X_refsource_misc
https://github.com/espressif/esp-idf/commit/7003f1ef0dffc73c34eb153d1b0710babb078149	X_refsource_misc
https://github.com/espressif/esp-idf/commit/b2cdc0678965790f49afeb6e6b0737cd24433a05	X_refsource_misc
https://github.com/espressif/esp-idf/commit/c33b9e1426121ce8cccf1a94241740be9cff68de	X_refsource_misc
https://github.com/espressif/esp-idf/commit/f327ddf6adab0c28d395975785727b2feef57803	X_refsource_misc
https://github.com/espressif/esp-idf/security/advisories/GHSA-22x6-3756-pfp8	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Espressif Search vendor "Espressif"		Esp-idf Search vendor "Espressif" for product "Esp-idf"				< 4.4.7 Search vendor "Espressif" for product "Esp-idf" and version " < 4.4.7"		en		Affected
Espressif Search vendor "Espressif"		Esp-idf Search vendor "Espressif" for product "Esp-idf"				>= 5.0.0 <= 5.0.6 Search vendor "Espressif" for product "Esp-idf" and version " >= 5.0.0 <= 5.0.6"		en		Affected
Espressif Search vendor "Espressif"		Esp-idf Search vendor "Espressif" for product "Esp-idf"				>= 5.1.0 <= 5.1.3 Search vendor "Espressif" for product "Esp-idf" and version " >= 5.1.0 <= 5.1.3"		en		Affected
Espressif Search vendor "Espressif"		Esp-idf Search vendor "Espressif" for product "Esp-idf"				>= 5.2.0 < 5.2.1 Search vendor "Espressif" for product "Esp-idf" and version " >= 5.2.0 < 5.2.1"		en		Affected