ESP-IDF is the development framework for Espressif SoCs supported on Windows, Linux and macOS. A Time-of-Check to Time-of-Use (TOCTOU) vulnerability was discovered in the implementation of the ESP-IDF bootloader which could allow an attacker with physical access to flash of the device to bypass anti-rollback protection. Anti-rollback prevents rollback to application with security version lower than one programmed in eFuse of chip. This attack can allow to boot past (passive) application partition having lower security version of the same device even in the presence of the flash encryption scheme. The attack requires carefully modifying the flash contents after the anti-rollback checks have been performed by the bootloader (before loading the application). The vulnerability is fixed in 4.4.7 and 5.2.1.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-25T14:31:28.466Z

Updated: 2024-08-02T00:48:49.763Z

Reserved: 2024-03-06T17:35:00.857Z

Link: CVE-2024-28183

cve-icon Vulnrichment

Updated: 2024-08-02T00:48:49.763Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-03-25T15:15:52.183

Modified: 2024-11-21T09:05:58.690

Link: CVE-2024-28183

cve-icon Redhat

No data.