Plateforme
other
Composant
arduino-esp32
Corrigé dans
7.0.1
CVE-2024-45798 describes a critical Poisoned Pipeline Execution (PPE) vulnerability discovered in the arduino-esp32 core, which provides support for ESP32 microcontrollers. This vulnerability allows attackers to inject malicious code through the tests_results.yml workflow and environment variables, potentially leading to arbitrary code execution. The vulnerability affects versions of arduino-esp32 prior to commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c, and a fix has been released.
The impact of CVE-2024-45798 is severe. Successful exploitation allows an attacker to execute arbitrary code within the CI/CD pipeline of the arduino-esp32 core. This could lead to the compromise of build artifacts, injection of malicious code into firmware images, and ultimately, the deployment of compromised devices. Given the widespread use of ESP32 microcontrollers in IoT devices, this vulnerability poses a significant risk to a broad range of applications, including industrial control systems, consumer electronics, and medical devices. The ability to inject code into the build process effectively compromises the entire software supply chain for these devices.
This vulnerability was publicly disclosed on 2024-09-17. The vulnerability is tracked as GHSL-2024-169 and GHSL-2024-170. While no active exploitation campaigns have been publicly reported, the critical severity and the ease of exploitation (PPE vulnerabilities are often relatively straightforward to exploit) suggest a potential for future attacks. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern.
Developers and users of the arduino-esp32 core, particularly those relying on automated build processes and CI/CD pipelines, are at risk. Projects using custom build scripts or configurations that deviate from the standard arduino-esp32 setup may be particularly vulnerable if they haven't implemented robust input validation.
disclosure
Statut de l'Exploit
EPSS
0.32% (percentile 55%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-45798 is to upgrade to the patched version of the arduino-esp32 core, specifically commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c. If an immediate upgrade is not feasible, carefully review the contents of downloaded artifacts before use. Implement stricter input validation and sanitization within the CI/CD pipeline to prevent future code injection attempts. Consider using a hardened CI/CD environment with restricted access and enhanced security controls. After upgrading, verify the integrity of the build process by reviewing build logs and comparing the generated firmware images against known good versions.
Mettez à jour le cœur arduino-esp32 à la version qui contient la correction (commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c) ou ultérieure. Vérifiez l'intégrité des artefacts téléchargés pour vous assurer qu'ils n'ont pas été compromis.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-45798 is a critical Poisoned Pipeline Execution vulnerability affecting the arduino-esp32 core, allowing code injection via tests_results.yml and environment variables.
You are affected if you are using a version of arduino-esp32 prior to a7cec020df8f1a815bd8dfd2559f51a2216bcf1c.
Upgrade to the patched version of the arduino-esp32 core, commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c. Review downloaded artifacts.
No active exploitation campaigns have been publicly reported, but the vulnerability's severity suggests a potential for future attacks.
Refer to the GHSL advisory for details: https://github.com/google/gsl-security-alerts/blob/main/GHSL-2024-169.md
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.