At Black Hat USA in August 2022, Nozomi Networks Labs revealed vulnerabilities discovered in Ultra-wideband (UWB) Real-time Locating Systems (RTLS). During the presentation, we demonstrated how these secure radio communications may fail in practice when leveraging weaknesses in the network protocols used in RTLSs. For more details on this research presented on the Black Hat stage, please refer to our blog and white paper.
Since our Black Hat presentation, we have continued to analyze Sewio RTLS to further assess their overall security posture and discover new potential attack vectors. Of all the components of RTLS, the central positioning servers are undoubtably the most valuable targets to examine, given that they collect and store all location data of assets or people tracked by the system and are usually exposed across multiple networks.
In this blog, we disclose nine vulnerabilities, four of which are critical, that affect the RTLS Studio software from Sewio, a popular brand in UWB-based locating systems. These vulnerabilities are also tracked under CISA ICS Advisory ICSA-23-012-01. These issues allow an unprivileged attacker to obtain unauthorized access to the server, alter information, create a denial-of-service (DoS) condition, gain escalated privileges, and execute arbitrary code.
Introduction to Real Time Locating Systems
A Real Time Locating System (RTLS) is a technology that uses radio-frequency signals (e.g., UWB) to locate assets or people specifically in indoor environments, where GPS would be imprecise or completely ineffective. This system is used for purposes that range from non-safety critical tasks such as ordinary asset tracking, to workers safety geofencing (in manufacturing plants, etc.), contact tracing, and monitoring of other potentially hazardous environments.
An RTLS consists of three components:
- Tags, which are attached to assets/people and periodically emit wireless signals;
- Anchors, which receive these wireless signals and forward the acquired information to a central positioning server through a common network medium (e.g., Ethernet, Wi-Fi);
- Central positioning server, which processes all information coming from anchors and computes the position of tags.
A central positioning server is a full-fledged software solution that allows an asset owner to deploy, maintain, and control an RTLS. The server is also able to monitor the position of all tags and manage alerts based on the location of assets or people wearing the tags, or produce historical and aggregated data for analytics (for instance, to evaluate the efficiency of a production line process). It can either run on specialized hardware provided by the vendor or on a generic Windows- or Linux-based system.
Usually, the central positioning server is simultaneously connected to at least two different networks:
- One interface is connected to the RTLS backhaul network, to receive the communications from the anchors;
- The other interface is connected to the IT management network, to allow administrators and operators to connect remotely. In the majority of RTLSs, the management service is implemented via a web application.
As a consequence, it is not surprising that the central positioning server plays a crucial role in the entire security posture of an RTLS, and can become an appealing target for attackers if not adequately protected.
Sewio RTLS Studio Vulnerabilities Found
While analyzing RTLS Studio, we found nine vulnerabilities, as listed below:
- CVE-2022-45444: Use of Hard-coded Password (CWE-259), CVSS v3 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE-2022-47911: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78), CVSS v3 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
- CVE-2022-43483: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (CWE-78), CVSS v3 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
- CVE-2022-41989: Out-of-bounds Write (CWE-787), CVSS v3 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE-2022-45127: Cross-Site Request Forgery (CSRF) (CWE-352), CVSS v3 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
- CVE-2022-47395: Cross-Site Request Forgery (CSRF) (CWE-352), CVSS v3 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H)
- CVE-2022-47917: Improper Input Validation (CWE-20), CVSS v3 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)
- CVE-2022-46733: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79), CVSS v3 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
- CVE-2022-43455: Improper Input Validation (CWE-20), CVSS v3 5.5 (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L)
* The following CVEs affect versions 2.0.0 – 2.6.2 and have an available fix: CVE-2022-47911, CVE-2022-43483, CVE-2022-45127, CVE-2022-47395, CVE-2022-47917, CVE-2022-46733, and CVE-2022-43455
* The following CVEs affect versions 2.0.0 and later and have suggested workarounds to implement while a fix is in progress (found in the remediations section of this blog): CVE-2022-45444 and CVE-2022-41989.
Attack Chain Example: CVE-2022-45127 and CVE-2022-47911
One of the features offered by RTLS Studio is the possibility to execute backup and restore operations of the configuration of RTLS Studio. Figure 1 shows a sample screenshot of the interface.
This functionality was implemented via an HTTP GET request and without any active anti-CSRF security measures. This already means that a remote unauthenticated attacker could execute arbitrary backup and restore operations (including the restore to factory default settings) by crafting a link and luring a privileged user into clicking on it while authenticated to the web service, causing a DoS condition (CVE-2022-45127).
Nevertheless, to verify if other attack scenarios were conceivable, we also performed an in-depth security audit of the server-side code of the handler of the functionality.
Although the application was found applying specific security measures to prevent command injection and other attacks, one of the parameters was unprotected against path traversal. Eventually, it was possible to abuse it to run any executables available on the OS, such as Bash or other shell interpreters. Additionally, by leveraging the shells themselves, we managed to reliably circumvent the escaping of all characters performed by the aforementioned security routines, obtaining execution of completely arbitrary commands (CVE-2022-47911).
By chaining this issue with the CSRF vulnerability, an attacker could have crafted a malicious “1-click RCE” link that, if clicked by a privileged user while authenticated to the web service, could allow them to compromise the system and all the data in it.
An analogous attack chain could also have been devised by exploiting CVE-2022-47395 and CVE-2022-43483.
We recommend asset owners quickly apply all patches developed by Sewio and all mitigations for the remaining unpatched vulnerabilities, to prevent any abuse of the systems by unauthorized threat actors.
Sewio has developed patches for:
Users are urged to update to RTLS Studio version 3.0.0 or later.
As for the unpatched vulnerabilities – CVE-2022-45444 and CVE-2022-41989 – Sewio is still working on a fix. These vulnerabilities can be mitigated by implementing the following workarounds:
- CVE-2022-45444: manually change the database password to an arbitrary one;
- CVE-2022-41989: apply firewall rules to prevent interactions with the anchor reports, anchor synchronizing, and blinks and syncs network services from the IT management network; restrict access to the RTLS backhaul network as much as possible.
In this blog, we have unveiled nine vulnerabilities affecting the RTLS Studio software from Sewio, four of which are rated critical.
RTLS is a rapidly growing technology that can track assets or people in indoor facilities, maximizing efficiency and increasing the safety of working environments. The adoption of UWB (especially with the latest IEEE 802.15.4z amendment) for radio signals allows for more precise and secure positioning with respect to other available standards. Nonetheless, to obtain a secure system overall, it is crucial that all RTLS components are equivalently hardened, because a failure in just one of them could lead to the compromise of the entire chain.