Security issue - CVE-2020-12638

[carefulcomputer]

Summarize of the problem

A security issue has been discovered in esspressif sdk which allows an attacker to gain man-in-the-middle position.

https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors

"This vulnerability allows forcing the ESP8622 and ESP32 chip families into downgrade their WiFi authentication mode, effectively disabling their encryption entirely. Using a channel switch attack an adversary can easily gain a man-in-the-middle position and read, replay and manipulate any unprotected traffic of the device. It works by sending a beacon frame with the same data as the WiFi network that the ESP is currently connected to, but switching the Privacy bit in the authentication header to 0. This will cause the Espressif device to switch to the OPEN authentication mode and send out unencrypted traffic until it receives a beacon frame from the original access point again. To stabilize the attack a so called Channel Switch Announcement can be sent to force the ESP chip to switch to a different wireless channel. This way it will not receive the original access point beacons anymore and keep sending unencrypted communication to the rouge access point."

Please check if this issue is applicable to espeasy and require new build.

[TD-er]

The latest core 2.7.3 should already have fixed it. :)
See: esp8266/Arduino#7486

There has not yet been a nightly build for it, but it already has been merged.
So the current mega branch has this already taken care of :)

[TD-er]

I just started the 'nightly' build, so this can already be closed :)

[carefulcomputer]

looks like the binaries didn't make it in 8266 zip file (compile issue ??). can you please check ?

[TD-er]

looks like the binaries didn't make it in 8266 zip file (compile issue ??). can you please check ?

Done