PT-2023-14056 · Sewio · Sewio'S Real-Time Location System (Rtls) Studio
Andrea Palanca
·
Published
2023-01-16
·
Updated
2023-01-25
·
CVE-2022-41989
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Sewio’s Real-Time Location System (RTLS) Studio versions 2.0.0 through 2.6.2
Description
The issue arises from the lack of validation of the length of RTLS report payloads during communication. This allows an attacker to send an exceedingly long payload, resulting in an out-of-bounds write that can cause a denial-of-service condition or code execution.
Recommendations
For versions 2.0.0 through 2.6.2, consider implementing payload length validation to prevent exceedingly long payloads from being processed, until a patch is available. As a temporary workaround, restrict the size of incoming RTLS report payloads to minimize the risk of exploitation.
Fix
Memory Corruption
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sewio'S Real-Time Location System (Rtls) Studio