Homepage
About Snyk

Replay Attack Affecting espressif/esp-now package, versions [0,]

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UNMANAGED-ESPRESSIFESPNOW-7945501
  • published 13 Sep 2024
  • disclosed 12 Sep 2024
  • credit Nozomi Networks Labs
Report a new vulnerability Found a mistake?

Introduced: 12 Sep 2024

CVE-2024-42483 Open this link in a new tab
CWE-349 Open this link in a new tab

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Replay Attack due to the shared cache mechanism. An attacker can disrupt legitimate communications and inject old or malicious packets by clearing the cache of its legitimate entries and re-injecting previously captured packets.

Note:

According to the maintainers, the fix is not a 100% reliable solution, as an attacker with more effort can still replay old ciphertext. but considering the connectionless nature of ESP-NOW, it's "good enough" for now.

References

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
7.1 high
  • Attack Vector (AV)
    Adjacent
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    None
  • Integrity (VI)
    High
  • Availability (VA)
    None
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None