CVE-2022-40992

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. Specifically, the function that manages the 'no firmwall domain WORD description (WORD|null)' command template uses an unsafe sprintf call to copy user-supplied parameters into a fixed-size stack buffer without proper bounds checking [1]. This occurs in the binary DetranCLI which provides the router's command-line interface.

Exploitation

An attacker must have administrative access (privileged shell) to the router's DetranCLI interface in order to issue the affected command. The attacker can send a crafted sequence of network packets that trigger the vulnerable command processing, supplying an overly long parameter for the 'WORD' fields in the 'no firmwall domain WORD description (WORD|null)' command template [1]. The stack buffer overflow is triggered during the sprintf operation that constructs the internal command string.

Impact

Successful exploitation allows an attacker to overwrite the stack and achieve arbitrary command execution at the elevated privilege level of the DetranCLI process. This results in full compromise of the router's confidentiality, integrity, and availability (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base score 7.2) [1].

Mitigation

As of the publication date (2023-01-26), the vendor Siretta has not released a patched firmware version for QUARTZ-GOLD to address this vulnerability. No workarounds are documented in the available references [1]. The product is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.