CVE-2022-40996

Vulnerability

The vulnerability is a stack-based buffer overflow in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD industrial routers running firmware version G5.0.1.5-210720-141020 [1]. Specifically, the overflow occurs in the function handling the no firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null) command template [1]. The command parameters are copied into a stack buffer without proper bounds checking, leading to a buffer overflow [1].

Exploitation

An attacker must have network access to the device and possess high privileges (authenticated as an administrative user) to issue commands via the DetranCLI console [1]. By sending a specially-crafted sequence of network packets containing maliciously long parameters for the vulnerable command, the attacker can trigger the stack-based buffer overflow [1]. No user interaction beyond the attacker's authenticated session is required [1].

Impact

Successful exploitation allows the attacker to achieve arbitrary command execution on the device [1]. Given the high privilege level required, the attacker already has administrative access, but the exploit may allow bypassing further restrictions or achieving persistence. The CVSSv3 score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating full compromise of confidentiality, integrity, and availability [1].

Mitigation

As of the publication date of the advisory, Siretta has not released a firmware update to address this vulnerability [1]. The only known vulnerable version is G5.0.1.5-210720-141020. Users should monitor the vendor's website for a patched firmware version and restrict administrative access to trusted networks as a workaround [1].