Long Range Wide Area Network (LoRaWAN) is a low-power wireless networking protocol designed for connecting devices over long distances. These devices are often powered by battery and are designed for long-term autonomous operation. Typically, end devices send data to LoRaWAN gateways, which forwards those messages to backend systems for further processing. Such backend systems could run on local networks, but also on the internet.

Kerlink is recognized as one of the top global providers of LoRaWAN network infrastructure and solutions. As part of their portfolio, they develop indoor and outdoor LoRaWAN gateways.   

In 2024, the Offensive Security team of BDO Cyber Security GmbH analysed Kerlink LoRaWAN gateways with different operating system (KerOS) versions for vulnerabilities. As part of this research, multiple vulnerabilities were discovered. After responsible disclosure to Kerlink, we release public information about some of these vulnerabilities. In addition, we list another vulnerability, affecting third-party services (ChirpStack), that was discovered as part of those tests.

CVE-2024-39148 – OS Command Injection via wmp-agent

The service wmp-agent does not properly validate so called ‘magic URLs’. This allows an unauthenticated attacker to inject arbitrary OS commands as user root when the service is accessible via network. Typically, this service is protected by a local firewall on the device. This affects all versions of KerOS up to version 5.11. It has been fixed in KerOS 5.12. The issue is rated as high.

CVE-2024-32388 – Improper Access Control: Partial Firewall Bypass (UDP)

Examining the firewall rules, it turned out that the iptables configuration up to KerOS 5.11 allows to bypass UDP traffic by sending specially crafted UDP packets. It has been fixed in KerOS 5.12. This issue is rated as medium.

CVE-2024-32384 – Missing Support for HTTPS

Analysing the web interface of the gateways, it turned out that they do not support Transport Layer Security (TLS). Therefore, the communication between the client and the gateway is not secured on transport layer, thus allowing a man-in-the-middle to sniff and tamper with the connection. This affects all KerOS versions up to KerOS 5.9. Starting from version 5.10, HTTPS can be configured, which is further described in the Kerlink Wiki. This issue is rated as medium.

CVE-2024-29862 – Improper Access Control: Partial Firewall Bypass (TCP)

In addition to the firewall misconfiguration issue described above, it turned out that TCP traffic can also bypass the firewall when sending specially crafted TCP packets. This affects the third-party module chirpstack-mqtt-forwarder before 4.2.1 and chirpstack-gateway-bridge before 4.0.11. The issue was already fixed by the ChirpStack main developer last year. It is rated as medium.

Further details regarding the vulnerabilities can be found in the referenced advisories.

We strongly advise updating affected devices as soon as possible, as a combination of those vulnerabilities could lead to full compromise.

We would like to thank Kerlink as well as Orne Brocaar of ChirpStack for working with us.

Would you like to assess the security of your device as part of a hardware penetration test
Contact us now.


This article was written by