Skip to content

Bootloader TOCTOU Vulnerability in Anti-rollback Scheme

Moderate
mahavirj published GHSA-22x6-3756-pfp8 Mar 25, 2024

Package

ESP-IDF (ESP-IDF)

Affected versions

v4.4.6
v5.0.6
v5.1.3
v5.2

Patched versions

v4.4.7
v5.0.7 (yet-to-release)
v5.1.4
v5.2.1

Description

Impact

A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip.

The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (and before loading the application). In presence of the flash encryption scheme, this attack can allow to boot only past (passive) application partition having lower security version of the same device.

Patches

Additional checks to harden the secure version verification of the application in anti-rollback case have been added to avoid any attempts to boot lower security version but valid application (e.g., passive partition image).

  1. In the bootloader, now the secure_version is read during the application hash (SHA256) calculation stage and it is verified after application loading stage. This check happens before handling the final control to application.

  2. Application startup code has been updated to ensure that the currently booting app has a equal or higher security version than the one programmed in the eFuse for anti-rollback scenario. This fix can also be deployed using OTA update for the existing devices.

Patched versions of ESP-IDF Framework are listed below:

Branch Commit ID
master < 3305cb4 & c33b9e1 >
release/v5.2 < 4c95aa4 & b2cdc06 >
release/v5.1 < 7003f1e >
release/v5.0 < 534e3ad >
release/v4.4 < f327ddf >

Workarounds

Please consider updating to ESP-IDF release containing the fixes mentioned above. Alternatively, the fixes can also be cherry-picked in your codebase.

References

None applicable

Credits

We would like to thank Joseph Surin, elttam for reporting this vulnerability and following up on responsible disclosure.

Severity

Moderate

CVE ID

CVE-2024-28183

Weaknesses