Platform
other
Component
arduino-esp32
Fixed in
7.0.1
CVE-2024-45798 describes a critical Poisoned Pipeline Execution (PPE) vulnerability discovered in the arduino-esp32 core, which provides support for ESP32 microcontrollers. This vulnerability allows attackers to inject malicious code through the tests_results.yml workflow and environment variables, potentially leading to arbitrary code execution. The vulnerability affects versions of arduino-esp32 prior to commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c, and a fix has been released.
The impact of CVE-2024-45798 is severe. Successful exploitation allows an attacker to execute arbitrary code within the CI/CD pipeline of the arduino-esp32 core. This could lead to the compromise of build artifacts, injection of malicious code into firmware images, and ultimately, the deployment of compromised devices. Given the widespread use of ESP32 microcontrollers in IoT devices, this vulnerability poses a significant risk to a broad range of applications, including industrial control systems, consumer electronics, and medical devices. The ability to inject code into the build process effectively compromises the entire software supply chain for these devices.
This vulnerability was publicly disclosed on 2024-09-17. The vulnerability is tracked as GHSL-2024-169 and GHSL-2024-170. While no active exploitation campaigns have been publicly reported, the critical severity and the ease of exploitation (PPE vulnerabilities are often relatively straightforward to exploit) suggest a potential for future attacks. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern.
Exploit Status
EPSS
0.32% (55% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-45798 is to upgrade to the patched version of the arduino-esp32 core, specifically commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c. If an immediate upgrade is not feasible, carefully review the contents of downloaded artifacts before use. Implement stricter input validation and sanitization within the CI/CD pipeline to prevent future code injection attempts. Consider using a hardened CI/CD environment with restricted access and enhanced security controls. After upgrading, verify the integrity of the build process by reviewing build logs and comparing the generated firmware images against known good versions.
Update the arduino-esp32 core to the version containing the fix (commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c) or later. Verify the integrity of downloaded artifacts to ensure they have not been compromised.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-45798 is a critical Poisoned Pipeline Execution vulnerability affecting the arduino-esp32 core, allowing code injection via tests_results.yml and environment variables.
You are affected if you are using a version of arduino-esp32 prior to a7cec020df8f1a815bd8dfd2559f51a2216bcf1c.
Upgrade to the patched version of the arduino-esp32 core, commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c. Review downloaded artifacts.
No active exploitation campaigns have been publicly reported, but the vulnerability's severity suggests a potential for future attacks.
Refer to the GHSL advisory for details: https://github.com/google/gsl-security-alerts/blob/main/GHSL-2024-169.md
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.