CVE-2022-40985

Vulnerability

The vulnerability is a stack-based buffer overflow in the DetranCLI command parsing of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. Specifically, the function handling the (ddns1|ddns2) hostname WORD command template uses sprintf to copy user-supplied input into a fixed-size stack buffer without bounds checking [1]. This allows an attacker to overflow the buffer and overwrite adjacent memory.

Exploitation

An attacker must have administrative access to the router's CLI (DetranCLI) via SSH or console, as the vulnerable command requires high privileges (CVSSv3 PR:H). The attacker sends a specially crafted ddns1 hostname or ddns2 hostname command with an overly long WORD argument, causing the buffer overflow [1]. No user interaction is required beyond the attacker's own actions.

Impact

Successful exploitation leads to arbitrary command execution on the device with root privileges, as the overflow can overwrite the return address or function pointers. This results in full compromise of confidentiality, integrity, and availability of the router [1]. The CVSSv3 score is 7.2 (High).

Mitigation

As of the advisory publication date (2022-10-13 per Talos), no fix was available. Users should restrict access to the CLI to trusted administrators only, and monitor for firmware updates from Siretta. The affected version is G5.0.1.5-210720-141020; later versions may address the issue [1].