CVE-2022-40988

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, specifically within the function that manages the ipv6 static dns WORD WORD WORD command template [1]. The vulnerability is due to the use of unsafe sprintf operations that copy user-supplied input into a fixed-size stack buffer without proper bounds checking (CWE-120) [1]. Any authenticated user who can issue CLI commands can reach the vulnerable code path. The confirmed vulnerable version is Siretta QUARTZ-GOLD G5.0.1.5-210720-141020 [1].

Exploitation

An attacker must have administrative privileges (High) on the device to access the DetranCLI interface and execute the vulnerable ipv6 static dns command with three WORD arguments [1]. No user interaction is required beyond sending a sequence of crafted requests. The attacker supplies an overly long string for one or more of the WORD parameters, causing the stack buffer to overflow and overwrite critical control data [1]. The CVSSv3 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network-based exploitation, low complexity, and no user interaction [1].

Impact

Successful exploitation leads to arbitrary command execution on the device with the privileges of the DetranCLI process (root-level access) [1]. The attacker gains full compromise of the confidentiality, integrity, and availability of the affected router: they can read sensitive data, modify device configurations, execute arbitrary code, and potentially pivot to other network assets [1].

Mitigation

As of the advisory publication date (2023-01-26), no fixed version was available from the vendor [1]. Users should restrict administrative access to the QUARTZ-GOLD device to trusted users only, monitor CLI logs for suspicious commands, and consider applying network-level access controls to limit exposure of the management interface. If a patch becomes available, upgrading to the latest firmware is recommended [1].