Wifi vulnerabilities fixed?

Message

izeesp · #1 Post by **izeesp** » 26 Sep 2019, 08:46

Hello guys and thank you so much for your hard work!

Been using espeasy for several months for automations and I've been a bit concerned by the 3 wifi vulnerabilities revealed on the 5th of september.
I don't want a potential attacker to be able to capture and replay trafic or simply crash the esp.

Do latest mega builds include the fixes?

Regards,
Iz

grovkillen · #2 Post by **grovkillen** » 26 Sep 2019, 09:03

If they (hackers) got access to the ESP IP address wise it's not much we can do to protect it from DDOS:ing it to death. It simply doesn't have the resources for it.

The other problem you are referring to is fixed within the SDK from Espressif and the 2.6.0 core is patched that way.

TD-er · #3 Post by **TD-er** » 26 Sep 2019, 10:50

One of the found vulnerabilities was related to the enterprise version of WPA if my memory serves me well and that's not supported by ESPEasy, so that was never an issue.
The core 2.6.0 builds are using the "feature/stage" branch, so that's about the latest of the esp8266/Arduino repository.

izeesp · #4 Post by **izeesp** » 26 Sep 2019, 14:10

grovkillen wrote: ↑26 Sep 2019, 09:03 If they (hackers) got access to the ESP IP address wise it's not much we can do to protect it from DDOS:ing it to death. It simply doesn't have the resources for it.

The other problem you are referring to is fixed within the SDK from Espressif and the 2.6.0 core is patched that way.

Thanks for your quick reply!
All those versions are a bit confusing to me

Last build changelog mentions:

[PIO] Update core 2.5.2 to espressif8266@2.2.3

And you guys speak about a 2.6.0 version

On espressif's github I can't find a 2.6.0 on this repo this?

Could you please clarify?

Does latest build (mega-20190926) embed it?

Regards!
Iz

TD-er · #5 Post by **TD-er** » 26 Sep 2019, 14:17

The built files, included in the ZIP have labels like "...core_260..."
That's about the core library version used.

Due to a bug in the deploy script (which I found this morning and will be fixed for the next nightly build), a number of build files were rejected and thus not included in the zip file.

We have builds using different core lib versions, like core 2.4.2, 2.5.2, 2.6.0 etc.
Those can be seen from the file names and if it is not used in the filename, then it is the "current latest released core", which is core 2.5.2

izeesp · #6 Post by **izeesp** » 01 Oct 2019, 10:59

TD-er wrote: ↑26 Sep 2019, 14:17 The built files, included in the ZIP have labels like "...core_260..."
That's about the core library version used.

Due to a bug in the deploy script (which I found this morning and will be fixed for the next nightly build), a number of build files were rejected and thus not included in the zip file.

We have builds using different core lib versions, like core 2.4.2, 2.5.2, 2.6.0 etc.
Those can be seen from the file names and if it is not used in the filename, then it is the "current latest released core", which is core 2.5.2

Thanks for the clarification

Wifi vulnerabilities fixed?

Wifi vulnerabilities fixed?

Re: Wifi vulnerabilities fixed?

Re: Wifi vulnerabilities fixed?

Re: Wifi vulnerabilities fixed?

Re: Wifi vulnerabilities fixed?

Re: Wifi vulnerabilities fixed?

Who is online