Platform
other
Component
arduino-esp32
Opgelost in
7.0.1
CVE-2024-45798 describes a critical Poisoned Pipeline Execution (PPE) vulnerability discovered in the arduino-esp32 core, which provides support for ESP32 microcontrollers. This vulnerability allows attackers to inject malicious code through the tests_results.yml workflow and environment variables, potentially leading to arbitrary code execution. The vulnerability affects versions of arduino-esp32 prior to commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c, and a fix has been released.
The impact of CVE-2024-45798 is severe. Successful exploitation allows an attacker to execute arbitrary code within the CI/CD pipeline of the arduino-esp32 core. This could lead to the compromise of build artifacts, injection of malicious code into firmware images, and ultimately, the deployment of compromised devices. Given the widespread use of ESP32 microcontrollers in IoT devices, this vulnerability poses a significant risk to a broad range of applications, including industrial control systems, consumer electronics, and medical devices. The ability to inject code into the build process effectively compromises the entire software supply chain for these devices.
This vulnerability was publicly disclosed on 2024-09-17. The vulnerability is tracked as GHSL-2024-169 and GHSL-2024-170. While no active exploitation campaigns have been publicly reported, the critical severity and the ease of exploitation (PPE vulnerabilities are often relatively straightforward to exploit) suggest a potential for future attacks. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern.
Developers and users of the arduino-esp32 core, particularly those relying on automated build processes and CI/CD pipelines, are at risk. Projects using custom build scripts or configurations that deviate from the standard arduino-esp32 setup may be particularly vulnerable if they haven't implemented robust input validation.
disclosure
Exploit Status
EPSS
0.32% (55% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-45798 is to upgrade to the patched version of the arduino-esp32 core, specifically commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c. If an immediate upgrade is not feasible, carefully review the contents of downloaded artifacts before use. Implement stricter input validation and sanitization within the CI/CD pipeline to prevent future code injection attempts. Consider using a hardened CI/CD environment with restricted access and enhanced security controls. After upgrading, verify the integrity of the build process by reviewing build logs and comparing the generated firmware images against known good versions.
Actualiseer de arduino-esp32 core naar de versie die de correctie bevat (commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c) of later. Verifieer de integriteit van de gedownloade artefacten om er zeker van te zijn dat ze niet zijn gecompromitteerd.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-45798 is a critical Poisoned Pipeline Execution vulnerability affecting the arduino-esp32 core, allowing code injection via tests_results.yml and environment variables.
You are affected if you are using a version of arduino-esp32 prior to a7cec020df8f1a815bd8dfd2559f51a2216bcf1c.
Upgrade to the patched version of the arduino-esp32 core, commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c. Review downloaded artifacts.
No active exploitation campaigns have been publicly reported, but the vulnerability's severity suggests a potential for future attacks.
Refer to the GHSL advisory for details: https://github.com/google/gsl-security-alerts/blob/main/GHSL-2024-169.md
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.