CVE-2022-40990

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020 [1]. The flaw resides in the function handling the no bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest) command template. The use of sprintf with user-controlled parameters without proper bounds checking leads to buffer overflow on the stack [1]. This is classified as CWE-120 - Buffer Copy without Checking Size of Input [1].

Exploitation

An attacker must have administrative (privileged) access to the device's CLI interface [1]. The vulnerability is triggered by sending a specially crafted sequence of network packets to the QUARTZ-GOLD router, providing overly long input parameters for the bandwidth command fields [1]. No user interaction beyond authentication is required. The low complexity of the attack allows for automated exploitation against the affected firmware.

Impact

Successful exploitation results in arbitrary command execution with root privileges on the device [1]. The CVSSv3 score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability [1]. An attacker can gain full control of the router, enabling further network compromise.

Mitigation

As of the published advisory, Siretta has not released a patched firmware version [1]. Users should restrict administrative access to the CLI to trusted users only, monitor for unauthorized access, and apply any firmware updates from the vendor as soon as they become available [1]. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.