Hello guys and thank you so much for your hard work!
Been using espeasy for several months for automations and I've been a bit concerned by the 3 wifi vulnerabilities revealed on the 5th of september.
I don't want a potential attacker to be able to capture and replay trafic or simply crash the esp.
Do latest mega builds include the fixes?
Regards,
Iz
Wifi vulnerabilities fixed?
Moderators: grovkillen, Stuntteam, TD-er
- grovkillen
- Core team member
- Posts: 3621
- Joined: 19 Jan 2017, 12:56
- Location: Hudiksvall, Sweden
- Contact:
Re: Wifi vulnerabilities fixed?
If they (hackers) got access to the ESP IP address wise it's not much we can do to protect it from DDOS:ing it to death. It simply doesn't have the resources for it.
The other problem you are referring to is fixed within the SDK from Espressif and the 2.6.0 core is patched that way.
The other problem you are referring to is fixed within the SDK from Espressif and the 2.6.0 core is patched that way.
ESP Easy Flasher [flash tool and wifi setup at flash time]
ESP Easy Webdumper [easy screendumping of your units]
ESP Easy Netscan [find units]
Official shop: https://firstbyte.shop/
Sponsor ESP Easy, we need you
ESP Easy Webdumper [easy screendumping of your units]
ESP Easy Netscan [find units]
Official shop: https://firstbyte.shop/
Sponsor ESP Easy, we need you
Re: Wifi vulnerabilities fixed?
One of the found vulnerabilities was related to the enterprise version of WPA if my memory serves me well and that's not supported by ESPEasy, so that was never an issue.
The core 2.6.0 builds are using the "feature/stage" branch, so that's about the latest of the esp8266/Arduino repository.
The core 2.6.0 builds are using the "feature/stage" branch, so that's about the latest of the esp8266/Arduino repository.
Re: Wifi vulnerabilities fixed?
Thanks for your quick reply!grovkillen wrote: ↑26 Sep 2019, 09:03 If they (hackers) got access to the ESP IP address wise it's not much we can do to protect it from DDOS:ing it to death. It simply doesn't have the resources for it.
The other problem you are referring to is fixed within the SDK from Espressif and the 2.6.0 core is patched that way.
All those versions are a bit confusing to me
Last build changelog mentions:
And you guys speak about a 2.6.0 version[PIO] Update core 2.5.2 to espressif8266@2.2.3
On espressif's github I can't find a 2.6.0 on this repo this?
Could you please clarify?
Does latest build (mega-20190926) embed it?
Regards!
Iz
Re: Wifi vulnerabilities fixed?
The built files, included in the ZIP have labels like "...core_260..."
That's about the core library version used.
Due to a bug in the deploy script (which I found this morning and will be fixed for the next nightly build), a number of build files were rejected and thus not included in the zip file.
We have builds using different core lib versions, like core 2.4.2, 2.5.2, 2.6.0 etc.
Those can be seen from the file names and if it is not used in the filename, then it is the "current latest released core", which is core 2.5.2
That's about the core library version used.
Due to a bug in the deploy script (which I found this morning and will be fixed for the next nightly build), a number of build files were rejected and thus not included in the zip file.
We have builds using different core lib versions, like core 2.4.2, 2.5.2, 2.6.0 etc.
Those can be seen from the file names and if it is not used in the filename, then it is the "current latest released core", which is core 2.5.2
Re: Wifi vulnerabilities fixed?
Thanks for the clarificationTD-er wrote: ↑26 Sep 2019, 14:17 The built files, included in the ZIP have labels like "...core_260..."
That's about the core library version used.
Due to a bug in the deploy script (which I found this morning and will be fixed for the next nightly build), a number of build files were rejected and thus not included in the zip file.
We have builds using different core lib versions, like core 2.4.2, 2.5.2, 2.6.0 etc.
Those can be seen from the file names and if it is not used in the filename, then it is the "current latest released core", which is core 2.5.2
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 85 guests