mirror of
https://github.com/esphome/esphome.git
synced 2024-12-22 21:44:55 +01:00
Mitigate CVE-2020-12638 WiFi WPA Downgrade (#1207)
Co-authored-by: Lukas Bachschwell <lukas@lbsfilm.at>
This commit is contained in:
parent
8aa73bba10
commit
389889ad70
2 changed files with 22 additions and 0 deletions
|
@ -391,6 +391,18 @@ void WiFiComponent::wifi_event_callback_(system_event_id_t event, system_event_i
|
|||
auto it = info.auth_change;
|
||||
ESP_LOGV(TAG, "Event: Authmode Change old=%s new=%s", get_auth_mode_str(it.old_mode),
|
||||
get_auth_mode_str(it.new_mode));
|
||||
// Mitigate CVE-2020-12638
|
||||
// https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors
|
||||
if (it.old_mode != WIFI_AUTH_OPEN && it.new_mode == WIFI_AUTH_OPEN) {
|
||||
ESP_LOGW(TAG, "Potential Authmode downgrade detected, disconnecting...");
|
||||
// we can't call retry_connect() from this context, so disconnect immediately
|
||||
// and notify main thread with error_from_callback_
|
||||
err_t err = esp_wifi_disconnect();
|
||||
if (err != ESP_OK) {
|
||||
ESP_LOGW(TAG, "Disconnect failed: %s", esp_err_to_name(err));
|
||||
}
|
||||
this->error_from_callback_ = true;
|
||||
}
|
||||
break;
|
||||
}
|
||||
case SYSTEM_EVENT_STA_GOT_IP: {
|
||||
|
|
|
@ -220,6 +220,7 @@ bool WiFiComponent::wifi_sta_connect_(WiFiAP ap) {
|
|||
if (ap.get_password().empty()) {
|
||||
conf.threshold.authmode = AUTH_OPEN;
|
||||
} else {
|
||||
// Only allow auth modes with at least WPA
|
||||
conf.threshold.authmode = AUTH_WPA_PSK;
|
||||
}
|
||||
conf.threshold.rssi = -127;
|
||||
|
@ -399,6 +400,15 @@ void WiFiComponent::wifi_event_callback(System_Event_t *event) {
|
|||
auto it = event->event_info.auth_change;
|
||||
ESP_LOGV(TAG, "Event: Changed AuthMode old=%s new=%s", get_auth_mode_str(it.old_mode),
|
||||
get_auth_mode_str(it.new_mode));
|
||||
// Mitigate CVE-2020-12638
|
||||
// https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors
|
||||
if (it.old_mode != AUTH_OPEN && it.new_mode == AUTH_OPEN) {
|
||||
ESP_LOGW(TAG, "Potential Authmode downgrade detected, disconnecting...");
|
||||
// we can't call retry_connect() from this context, so disconnect immediately
|
||||
// and notify main thread with error_from_callback_
|
||||
wifi_station_disconnect();
|
||||
global_wifi_component->error_from_callback_ = true;
|
||||
}
|
||||
break;
|
||||
}
|
||||
case EVENT_STAMODE_GOT_IP: {
|
||||
|
|
Loading…
Reference in a new issue