CVE-2022-41989

Summary

Sewio’s Real-Time Location System (RTLS) Studio version 2.0.0 up to and including version 2.6.2 does not validate the length of RTLS report payloads during communication. This allows an attacker to send an exceedingly long payload, resulting in an out-of-bounds write to cause a denial-of-service condition or code execution.

Affected Software

VendorProductVersion RangeStatus
SewioRTLS Studio2.0.0 <= 2.6.2affected

Weaknesses

  • CWE-787: CWE-787 Out-of-bounds Write

Workarounds

Sewio also recommends the following workarounds to reduce the risk of exploitation:

  • Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01 .

    • Locate control system networks and remote devices behind firewalls and isolate them from business networks.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References