CVE-2024-45798 describes a critical Poisoned Pipeline Execution (PPE) vulnerability discovered in the arduino-esp32 core, which provides support for ESP32 microcontrollers. This vulnerability allows attackers to inject malicious code through the tests_results.yml workflow and environment variables, potentially leading to arbitrary code execution. The vulnerability affects versions of arduino-esp32 prior to commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c, and a fix has been released.
The impact of CVE-2024-45798 is severe. Successful exploitation allows an attacker to execute arbitrary code within the CI/CD pipeline of the arduino-esp32 core. This could lead to the compromise of build artifacts, injection of malicious code into firmware images, and ultimately, the deployment of compromised devices. Given the widespread use of ESP32 microcontrollers in IoT devices, this vulnerability poses a significant risk to a broad range of applications, including industrial control systems, consumer electronics, and medical devices. The ability to inject code into the build process effectively compromises the entire software supply chain for these devices.
This vulnerability was publicly disclosed on 2024-09-17. The vulnerability is tracked as GHSL-2024-169 and GHSL-2024-170. While no active exploitation campaigns have been publicly reported, the critical severity and the ease of exploitation (PPE vulnerabilities are often relatively straightforward to exploit) suggest a potential for future attacks. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of concern.
Developers and users of the arduino-esp32 core, particularly those relying on automated build processes and CI/CD pipelines, are at risk. Projects using custom build scripts or configurations that deviate from the standard arduino-esp32 setup may be particularly vulnerable if they haven't implemented robust input validation.
disclosure
漏洞利用状态
EPSS
0.32% (55% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2024-45798 is to upgrade to the patched version of the arduino-esp32 core, specifically commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c. If an immediate upgrade is not feasible, carefully review the contents of downloaded artifacts before use. Implement stricter input validation and sanitization within the CI/CD pipeline to prevent future code injection attempts. Consider using a hardened CI/CD environment with restricted access and enhanced security controls. After upgrading, verify the integrity of the build process by reviewing build logs and comparing the generated firmware images against known good versions.
将 arduino-esp32 核心更新到包含修复的 (commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c) 或更高版本。 验证下载的工件的完整性,以确保它们未被破坏。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-45798 is a critical Poisoned Pipeline Execution vulnerability affecting the arduino-esp32 core, allowing code injection via tests_results.yml and environment variables.
You are affected if you are using a version of arduino-esp32 prior to a7cec020df8f1a815bd8dfd2559f51a2216bcf1c.
Upgrade to the patched version of the arduino-esp32 core, commit a7cec020df8f1a815bd8dfd2559f51a2216bcf1c. Review downloaded artifacts.
No active exploitation campaigns have been publicly reported, but the vulnerability's severity suggests a potential for future attacks.
Refer to the GHSL advisory for details: https://github.com/google/gsl-security-alerts/blob/main/GHSL-2024-169.md
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。