EUVD-2025-209284
GHSA-pq38-4mfg-vpxj
CVSS Vector
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:C/RE:M/U:X
Lifecycle Timeline
3Description
The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.
Analysis
Information disclosure vulnerability in Semtech LR11xx LoRa transceivers (LR1110, LR1120, LR1121) allows attackers with physical SPI interface access to retrieve decrypted firmware contents by exploiting improper memory cleanup after firmware validation. The device fails to clear the last decrypted firmware block from memory after integrity checks complete, enabling an attacker to bypass firmware encryption protection via subsequent SPI memory read commands. This affects early firmware versions and requires direct physical access to the SPI interface.
Technical Context
The Semtech LR11xx series are ultra-low-power LoRa transceivers that support encrypted firmware updates via the SPI (Serial Peripheral Interface) protocol. The vulnerability exists in the firmware validation subsystem, which implements block-by-block decryption of encrypted firmware packages to verify integrity before deployment. The root cause is improper resource cleanup (CWE-226: Sensitive Information in Memory) in the validation routine-specifically, failure to zeroize cryptographic buffers after the validation operation completes. When the host issues a firmware validity check command, the device decrypts firmware blocks sequentially but leaves the final decrypted block resident in memory. Subsequent SPI read commands can access this uncleared memory region, effectively leaking decrypted firmware contents and negating the protection provided by firmware encryption. Affected products include LR1110 (all versions per CPE cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*), LR1120, and LR1121 transceivers running early firmware revisions.
Affected Products
Semtech LR1110, LR1120, and LR1121 LoRa transceivers are affected across all versions per the provided CPE strings (cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:*, cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:*, cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:*). The vulnerability is specific to early firmware versions; exact version boundaries are not specified in the provided data but are clarified in the Semtech security advisory. Users should consult the Semtech PSA-2026-001 security bulletin (https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001) for precise version information and remediation availability.
Remediation
Upgrade to patched firmware versions released by Semtech. The vendor's PSA-2026-001 security bulletin (https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001) provides specific firmware version numbers and distribution guidance. The fix involves clearing (zeroizing) decrypted firmware blocks from memory immediately after validation completes, preventing residual plaintext from being accessible via subsequent SPI reads. For organizations unable to immediately upgrade, implement additional physical security controls such as epoxy coating of SPI debug pins, tamper detection mechanisms, or secure enclosures that prevent unauthorized SPI interface access. Supply-chain integrity verification and device authentication checks should be prioritized for deployments in high-security contexts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today