CVE-2024-53845: 
Espressif ESP-IDF Tools vulnerability analysis and mitigation

ESPTouch is a connection protocol for internet of things devices that includes a vulnerability in its ESPTouchV2 protocol implementation. Prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8, while there was an option to use a custom AES key, there was no option to set the Initialization Vector (IV). The IV was set to zero and remained constant throughout the product's lifetime (GitHub Advisory).

In AES/CBC mode encryption, if the IV is not properly initialized and remains constant (zero in this case), the encrypted output becomes deterministic. This implementation weakness is tracked as CWE-909 (Missing Initialization of Resource) and CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). The vulnerability has been assigned a CVSS v4.0 score of 6.6 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U (GitHub Advisory).

The use of a constant IV in AES/CBC mode leads to deterministic encryption output, which can result in potential data leakage. This weakness could allow attackers to obtain sensitive information about encrypted messages (GitHub Advisory).

The issue has been patched in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The fix generates a random IV when activating the AES key, which is then transmitted along with the provisioning data to the provisioning device. The provisioning device has been equipped with a parser for the AES IV. Users must upgrade to the patched versions as there are no alternative workarounds (GitHub Advisory).