LoRaDawn - Multiple LoRaWAN Security Vulnerabilities

LoRaDawn is a series of vulnerabilities in LoRaWAN discovered by Tencent Blade Team that can cause Remote Denial of service of LoRaWAN node and potential code execution of LoRaWAN gateway under certain conditions.As a well-known LoRaWAN protocol stack, LoRaMac-Node is widely used in nodes and modules of LoRaWAN vendors. As a result, LoraDawn is potentially highly influential, allowing LoRaWAN nodes to cause a remote denial of service in the process of OTAA (Over-The-Air Activation). LoRa Basics™ Station is a new state-of-the-art gateway packet-forwarder. This vulnerability could cause potential code execution in the scenario of MITM or malicious server. In addition, LNS protocol provides the ability to configure gateways remotely, this capability can be abused to execute remote code in the scenario of MITM or malicious servers. Semtech has already identified and fixed these vulnerabilities. We will not disclose any details of this vulnerability at this time, and we are urging other vendors to fix this vulnerability as soon as possible.



Q & A


(1) How do developers judge whether their products are affected?

a) If you are using LoRaMac-Node as the parsing software for the LoRaWAN protocol (including modules, RTOS, and Third-party SDKs), and the patch is not applied, then you may be affected by LoraDawn. Affected versions from 4.4.2-rc.1 to 4.4.3.
b)If you are using LoRa Basics™ Station as the packet-forwarder to connect to the server, and the patch is not applied, then you may be affected by LoraDawn. Affected version 2.0.3.


(2) What are the conditions for exploiting the vulnerability?

If you are using LoRaMac-Node, and the version is between 4.4.2-rc.1 and 4.4.3, it will be affected. The vulnerability exists in the process of OTAA, which can cause harm to the devices that are joining the network. For deployed projects, it is necessary to rejoin the network, which needs to be combined with other attack methods, which has a high attack cost. There is no harm if rejoining the network is not triggered.


(3) What is the impact of this vulnerability?

Remote denial of service on LoRaWAN node or potential code execution on the gateway.Because of the security at the LoRaWAN protocol level, attackers cannot obtain LoRaWAN data. Therefore, there is no need to worry about data leakage due to vulnerability attacks.LoRaDawn is caused by memory corruption, which will prevent the device from successfully joining the network or denial of service.During the attack, the device will not be online or cannot be used properly. However, after the attack, if the device has an abnormal recovery mechanism, it can rejoin the network and resume normal operation.


(4) What is the CVE ID of this vulnerability?

CVE-2020-11068 , CVE-2020-4060


(5) Has “LoRaDawn” been abused in the wild?

We have not found this vulnerability to have a public full exploit code.


(6) Is there a workaround/fix?

We have reported all the details of the vulnerabilities to Semtech and they have fixed vulnerabilities.
(a) If your product uses LoRaMac-Node, please update to the official stable version 4.4.4.
(b) If your product uses LoRa Basics™ Station, please update to the official stable version 2.0.5 and above. In addition, it is recommended to use TLS and configure a fully trusted server to ensure the security of communication and prevent the powerful capabilities of LNS from being abused.


(7) Are there plans to disclose details of the vulnerability?

Not yet. We follow the responsible vulnerability disclosure process and will not disclose the details of the vulnerability in advance 90 days after the vulnerability report.



Timeline


- 14 Apr 2020 Reported the vulnerability of LoRaMac-Node to Semtech.

- 14 Apr 2020 The vulnerability in LoRaMac-Node was confirmed by Semtech.

- 16 Apr 2020 Semtech fixed the vulnerability in LoRaMac-Node.

- 22 Apr 2020 Reported the vulnerability of LoRa Basics™ Station to Semtech.

- 04 May 2020 The vulnerability in LoRa Basics™ Station was confirmed by Semtech.

- 26 May 2020 Semtech released the official LoRaMac-Node version 4.4.4.

- 26 May 2020 CVE ID has been assigned as CVE-2020-11068 .

- 05 Jun 2020 Semtech released the official LoRa Basics™ Station version 2.0.4.

- 18 Jun 2020 CVE ID has been assigned as CVE-2020-4060.