From 389889ad7011e077e4d857a2423df1eafe32d35e Mon Sep 17 00:00:00 2001
From: Otto Winter <otto@otto-winter.com>
Date: Mon, 27 Jul 2020 18:22:38 +0200
Subject: [PATCH] Mitigate CVE-2020-12638 WiFi WPA Downgrade (#1207)

Co-authored-by: Lukas Bachschwell <lukas@lbsfilm.at>
---
 esphome/components/wifi/wifi_component_esp32.cpp   | 12 ++++++++++++
 esphome/components/wifi/wifi_component_esp8266.cpp | 10 ++++++++++
 2 files changed, 22 insertions(+)

diff --git a/esphome/components/wifi/wifi_component_esp32.cpp b/esphome/components/wifi/wifi_component_esp32.cpp
index a387be78ce..09b8433a0e 100644
--- a/esphome/components/wifi/wifi_component_esp32.cpp
+++ b/esphome/components/wifi/wifi_component_esp32.cpp
@@ -391,6 +391,18 @@ void WiFiComponent::wifi_event_callback_(system_event_id_t event, system_event_i
       auto it = info.auth_change;
       ESP_LOGV(TAG, "Event: Authmode Change old=%s new=%s", get_auth_mode_str(it.old_mode),
                get_auth_mode_str(it.new_mode));
+      // Mitigate CVE-2020-12638
+      // https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors
+      if (it.old_mode != WIFI_AUTH_OPEN && it.new_mode == WIFI_AUTH_OPEN) {
+        ESP_LOGW(TAG, "Potential Authmode downgrade detected, disconnecting...");
+        // we can't call retry_connect() from this context, so disconnect immediately
+        // and notify main thread with error_from_callback_
+        err_t err = esp_wifi_disconnect();
+        if (err != ESP_OK) {
+          ESP_LOGW(TAG, "Disconnect failed: %s", esp_err_to_name(err));
+        }
+        this->error_from_callback_ = true;
+      }
       break;
     }
     case SYSTEM_EVENT_STA_GOT_IP: {
diff --git a/esphome/components/wifi/wifi_component_esp8266.cpp b/esphome/components/wifi/wifi_component_esp8266.cpp
index deee578b4c..efffff0abc 100644
--- a/esphome/components/wifi/wifi_component_esp8266.cpp
+++ b/esphome/components/wifi/wifi_component_esp8266.cpp
@@ -220,6 +220,7 @@ bool WiFiComponent::wifi_sta_connect_(WiFiAP ap) {
   if (ap.get_password().empty()) {
     conf.threshold.authmode = AUTH_OPEN;
   } else {
+    // Only allow auth modes with at least WPA
     conf.threshold.authmode = AUTH_WPA_PSK;
   }
   conf.threshold.rssi = -127;
@@ -399,6 +400,15 @@ void WiFiComponent::wifi_event_callback(System_Event_t *event) {
       auto it = event->event_info.auth_change;
       ESP_LOGV(TAG, "Event: Changed AuthMode old=%s new=%s", get_auth_mode_str(it.old_mode),
                get_auth_mode_str(it.new_mode));
+      // Mitigate CVE-2020-12638
+      // https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors
+      if (it.old_mode != AUTH_OPEN && it.new_mode == AUTH_OPEN) {
+        ESP_LOGW(TAG, "Potential Authmode downgrade detected, disconnecting...");
+        // we can't call retry_connect() from this context, so disconnect immediately
+        // and notify main thread with error_from_callback_
+        wifi_station_disconnect();
+        global_wifi_component->error_from_callback_ = true;
+      }
       break;
     }
     case EVENT_STAMODE_GOT_IP: {