Skip to content

Use of Unmaintained Third Party Components in LoRa Basics Station

Moderate
gbartnik published GHSA-vg5p-rw3m-3f53 Oct 25, 2021

Package

basicstation (embedded software)

Affected versions

2.0.6

Patched versions

NA

Description

Impact

Basics Station utilizes mbed-tls 2.6 which is unmaintained and is likely to contain several vulnerabilities.

Patches

Semtech is evaluating an upgrade to mbed-tls 2.7. Preliminary results show that mbed-tls 2.7 is interface compatible and can be successfully linked and executed.

Workarounds

Modification of makefile to reference mbed-tls 2.7; no other practical workarounds which preserve secure functionality.

References

Are there any links users can visit to find out more?

Please see potential list of vulnerabilities here: https://www.cvedetails.com/product/32568/ARM-Mbed-Tls.html?vendor_id=15698

For more information

If you have any questions or comments about this advisory: please visit https://www.semtech.com/company/security

This vulnerability was discovered by Andrew Jorgensen (ajorgens@amazon.com) from Amazon.

Severity

Moderate

CVE ID

No known CVE

Weaknesses