10 January 2025: Missing parameter validation during MCU firmware update.
Summary
A vulnerability was identified in the firmware update process, allowing an attacker to set an arbitrary reset_handler address during firmware flashing. The absence of validation lead to permanently bricking the device.
L’impact est limité à l’opérabilité du device et bien entendu, Client funds have never been at risk.
Description
During firmware updates, the bootloader expects the host to provide a reset_handler address indicating where execution should resume after flashing is complete.
This value is not validated by the bootloader. As a result, an attacker can provide a crafted address pointing either to invalid memory (causing an unrecoverable crash) or to attacker-controlled code (enabling code execution at boot).
If the address points to an invalid or non-executable region, the device may enter an unrecoverable fault state during boot. This results in a permanent brick, where both external interfaces become unresponsive, and the device cannot be restored without specialized tools and factory-level access.
This flaw originates from the lack of basic checks (e.g., range, alignment, signature validation) on a critical control flow parameter during the update process.
Remediation
The vulnerability has been fixed by enforcing strict validation of the reset_handler field during firmware updates. The reset_handler command is now part of the signed communication flow.
This fix is included in versions Nano X >= 2.4.2, Flex >= 1.2.2, Stax >= 1.6.2 and all later firmware releases. Users are advised to keep their device firmware up to date.
Credits
We would like to thank Guanxing Wen, who responsibly disclosed this vulnerability via Ledger’s Bug Bounty program.