CVE-2023-29156

Name of the Vulnerable Software and Affected Versions DroneScout ds230 versions 20211210-1627 through 20230329-1042

Description The issue is an information loss vulnerability through traffic injection. An attacker can exploit this by injecting spoofed Open Drone ID (ODID) messages, forcing the DroneScout ds230 Remote ID receiver to drop real Remote ID (RID) information and transmit JSON encoded MQTT messages with crafted RID information instead. Consequently, the MQTT broker will have no access to the drones' real RID information.

Recommendations For versions 20211210-1627 through 20230329-1042, as a temporary workaround, consider disabling the reception of Open Drone ID (ODID) messages until a patch is available. Restrict access to the MQTT broker to minimize the risk of exploitation. Avoid using the affected firmware versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.