LoRaMac-node is a LoRaWAN node and as such, can handle only a subset of LoRa frame types. LoRaMac-node can only process FRAME_TYPE_PROPRIETARY and FRAME_TYPE_OBEX. Due to LoRaMAC-nodes behaviour only FRAME_TYPE_PROPRIETARY can be transmitted by the node. This can be verified with the following command: LoRaMac-nodes running before version 4.7.0 are vulnerable to a buffer overflow. If the remote node sends a packet with a length exceeding the buffer size of the kernel then a remote attacker can overflow the buffer and write arbitrary data to the kernel resulting in a DoS. The following example shows an out-of-bounds write in a PROPRIETARY frame of length 65280bytes. network:PROPRIETARY frameType=PROPRIETARY payload=[rsc:v6 rsc:addr=rsc:addr> rsc:cmd=rsc:cmd> rsc:seq=rsc:seq> rsc:flags=0xrsc:flags> rsc:len=rsc:len> >] dataLength=rsc:len> > The corresponding example from the user-space application is: rsc:cmd0x03 >
ENDPROP_EXEC 0x03
^ 0x3b
ENDPROP_EXEC 0x03
The following example shows an out-of-bounds write in a PROPRIETARY frame of length 65280bytes. network:PROPRIETARY frameType=PROPRIETARY payload=[rsc:v6 rsc:addr=rsc:addr> rsc:cmd=rsc:cmd> rsc:seq=rsc:seq> rsc:flags=0xrsc:flags> rsc:len=rsc:len> >] dataLength=rsc:len> > The corresponding example from the user-space application is: rsc:cmd0x03 >
ENDPROP_EXEC 0x03
Timeline
Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/11/2022 04:15:00 UTC
References
- https://github.com/Lora-net/LoRaMac-node/commit/e851b079c82ba1bcf3f4d291ab69a571b0bf458a
- https://github.com/Lora-net/LoRaMac-node/releases/tag/v4.7.0
- https://github.com/Lora-net/LoRaMac-node/security/advisories/GHSA-7vv8-73pc-63c2
- https://www.cve.org/CVERecord?id=CVE-2022-39274
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39274