CVE-2022-2848: 
PTC KEPServerEX vulnerability analysis and mitigation

CVE-2022-2848 is a heap-based buffer overflow vulnerability affecting Kepware KEPServerEX, a connectivity platform. The vulnerability was discovered by Vera Mens, Uri Katz, and Sharon Brizinov of Claroty Research, working with Trend Micro's Zero Day Initiative. The flaw exists within the handling of text encoding conversions and affects multiple versions of PTC products including Kepware KEPServerEX, ThingWorkx Kepware Server, ThingWorkx Industrial Connectivity, OPC-Aggregator, and ThingWorkx Kepware Edge (CISA Advisory, ZDI Advisory).

The vulnerability stems from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. Specifically crafted OPC UA messages transmitted to the server could allow an attacker to crash the server and leak data. The vulnerability has been assigned a CVSS v3 base score of 9.1 with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H, indicating a critical severity level. The flaw is classified under CWE-122 (Heap-based Buffer Overflow) (ZDI Advisory, CISA Advisory).

Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code in the context of SYSTEM, crash the server, and leak sensitive data. The vulnerability affects multiple critical infrastructure sectors worldwide (CISA Advisory, ZDI Advisory).

PTC has released updates to address this vulnerability. Users should upgrade Kepware KEPServerEX to v6.12 or later, ThingWorx Kepware Server to v6.12 or later, OPC-Aggregator to v6.12 or later, and ThingWorx Kepware Edge to v1.5 or later. Additionally, CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the Internet, and locating control system networks behind firewalls isolated from business networks (CISA Advisory).