CVE-2022-40995

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD running firmware version G5.0.1.5-210720-141020. The flaw resides in the function handling the firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null) command template. The use of sprintf(stack_buffer, format_string, command_parameter_1, ...) without proper bounds checking leads to a classic buffer overflow when overly long parameters are supplied [1].

Exploitation

An attacker must have administrative access to the router's CLI (privileged user) to send crafted command sequences. By providing a specially-crafted network packet or manipulating the command parameters (e.g., an excessively long source MAC address), an overflow of the stack buffer can be triggered. The vulnerable code path copies user-supplied data into a fixed-size stack buffer without validation, allowing the attacker to overwrite adjacent memory [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary command execution on the device with root privileges. This results in full compromise of the router's confidentiality, integrity, and availability, as the attacker can execute arbitrary commands, modify configuration, or use the device as a pivot for further network attacks [1].

Mitigation

Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020 is confirmed vulnerable. As of the publication date (2023-01-26), no patched version has been announced in the available references. Administrators should restrict network access to the administrative CLI interface and monitor for unauthorized login attempts. Consult Talos advisory TALOS-2022-1613 for updates [1].