CVE-2020-12638 workaround for WPA downgrade attack (#7486)

* CVE-2020-12638 workaround for WPA downgrade attack When connected to an encrypted (WEP/WPA) router, a rogue packet can cause the ESP8266 WiFi stack to drop to an unecrypted rogue network of the same SSID. Handle this by dropping the WiFi connection immediately and reconnecting to the stored WPA/WEP network requested by the application, whenever the AUTHMODE changes to OPEN from a secured mode. https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors for more details.
2025-06-06 05:21:22 +03:00 · 2020-07-26 10:11:14 -07:00 · 2020-07-26 10:11:14 -07:00 · 355b291614
commit 355b291614
parent e815b9219b
1 changed files with 10 additions and 0 deletions
--- a/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp
+++ b/libraries/ESP8266WiFi/src/ESP8266WiFiGeneric.cpp
@ -228,6 +228,16 @@ void ESP8266WiFiGenericClass::_eventCallback(void* arg)
        WiFiClient::stopAll();
    }

+    if (event->event == EVENT_STAMODE_AUTHMODE_CHANGE) {
+        auto& src = event->event_info.auth_change;
+        if ((src.old_mode != AUTH_OPEN) && (src.new_mode == AUTH_OPEN)) {
+            // CVE-2020-12638 workaround.  When we get a change to AUTH_OPEN from any other mode, drop the WiFi link because it's a downgrade attack
+            // TODO - When upgrading to 3.x.x with fix, remove this code
+            DEBUG_WIFI("WIFI_EVENT_STAMODE_AUTHMODE_CHANGE from encrypted(%d) to AUTH_OPEN, potential downgrade attack. Reconnecting WiFi. See CVE-2020-12638 for more details\n", src.old_mode);
+            WiFi.reconnect();  // Disconnects from STA and then reconnects
+        }
+    }
+
    for(auto it = std::begin(sCbEventList); it != std::end(sCbEventList); ) {
        WiFiEventHandler &handler = *it;
        if (handler->canExpire() && handler.unique()) {