CVE-2025-14858
The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device's SPI interface.
https://nvd.nist.gov/vuln/detail/CVE-2025-14858
Categories
CWE-226 : Sensitive Information in Resource Not Removed Before Reuse
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities. Write a known pattern into each sensitive location. Trigger the release of the resource or cause the desired state transition to occur. Read data back from the sensitive locations. If the reads are successful, and the data is the same as the pattern that was originally written, the test fails and the product needs to be fixed. Note that this test can likely be automated. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) During critical state transitions, information not needed in the next state should be removed or overwritten with fixed patterns (such as all 0's) or random data, before the transition to the next state. When releasing, de-allocating, or deleting a resource, overwrite its data and relevant metadata with fixed patterns or random data. Be cautious about complex resource types whose underlying representation might be non-contiguous or change at a low level, such as how a file might be split into different chunks on a file system, even though "logical" file positions are contiguous at the application layer. Such resource types might require invocation of special modes or APIs to tell the underlying operating system to perform the necessary clearing, such as SDelete (Secure Delete) on Windows, although the appropriate functionality might not be available at the application layer. Cryptography library does not clear heap memory before release Ethernet NIC drivers do not pad frames with null bytes, leading to infoleak from malformed packets. router does not clear information from DHCP packets that have been previously used Products do not fully clear memory buffers when less data is stored into the buffer than previous. Products do not fully clear memory buffers when less data is stored into the buffer than previous. Products do not fully clear memory buffers when less data is stored into the buffer than previous. Product does not clear a data structure before writing to part of it, yielding information leak of previously used memory. Memory not properly cleared before reuse.
References
security@sierrawireless.com
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| Semtech |
LR1110 |
- < TRX FW 0x0402 [affected]
|
| Semtech |
LR1120 |
- < TRX FW 0x0202 [affected]
|
| Semtech |
LR1121 |
- < TRX FW 0x0104 [affected]
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
| cpe |
start |
end |
| Configuration 1 |
| OR |
| OR |
| cpe:2.3:a:semtech:lr1110:*:*:*:*:*:*:*:* |
>= 0 |
< trx_fw_0x0402 |
| OR |
| cpe:2.3:a:semtech:lr1120:*:*:*:*:*:*:*:* |
>= 0 |
< trx_fw_0x0202 |
| OR |
| cpe:2.3:a:semtech:lr1121:*:*:*:*:*:*:*:* |
>= 0 |
< trx_fw_0x0104 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 37 |
Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack. [Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files. [Retrieve Embedded Data] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest. |
Very High |
MITRE
Techniques
| id |
description |
| T1005 |
Data from Local System |
| T1552.004 |
Unsecured Credentials: Private Keys |
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
Mitigations
| id |
description |
| M1057 |
Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted. |
| M1022 |
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the `nonexportable` flag during RSA key pair generation. |
| © 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation. |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
