CVE-2019-12587

Name of the Vulnerable Software and Affected Versions Espressif ESP-IDF versions 2.0.0 through 4.0.0 Espressif ESP8266 NONOS SDK versions 2.2.0 through 3.1.0

Description The issue concerns the EAP peer implementation, allowing the installation of a zero Pairwise Master Key (PMK) after completing any EAP authentication method. This enables attackers within radio range to replay, decrypt, or spoof frames via a rogue access point.

Recommendations For Espressif ESP-IDF versions 2.0.0 through 4.0.0, update to a version that addresses this issue. For Espressif ESP8266 NONOS SDK versions 2.2.0 through 3.1.0, update to a version that addresses this issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to minimize the risk of exploitation via a rogue access point.