Vulnerabilities > CVE-2019-17391 - Improper Handling of Exceptional Conditions vulnerability in Espressif products

CVSS 4.6 - MEDIUM

Attack vector

PHYSICAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

low complexity

espressif

CWE-755

NVD

Published: 2019-11-14

Updated: 2020-08-24

Summary

An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and secure boot keys, by injecting a glitch into the power supply of the chip shortly after reset.

Vulnerable Configurations

Part	Description	Count
OS	Espressif Espressif Esp32 D0Wd Firmware - Espressif Esp32 D2Wd Firmware - Espressif Esp32 S0Wd Firmware - Espressif Esp32 Pico D4 Firmware -	4
Hardware	Espressif Espressif Esp32 D0Wd - Espressif Esp32 D2Wd - Espressif Esp32 S0Wd - Espressif Esp32 Pico D4 -	4

Common Weakness Enumeration (CWE)

CWE-755 - Improper Handling of Exceptional Conditions

References

https://www.espressif.com/en/news/Security_Advisory_Concerning_Fault_Injection_and_eFuse_Protections