CVE-2022-40998

Vulnerability

A stack-based buffer overflow exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The vulnerability is triggered when processing the no gre index <1-8> destination A.B.C.D/M description (WORD|null) command template. The sprintf function copies user-controlled data into a fixed-size stack buffer without proper bounds checking, leading to a buffer overflow. [1]

Exploitation

An attacker with administrative privileges (required to access the CLI) can send a specially-crafted network packet containing an overly long description parameter. The vulnerable code path is reachable via the DetranCLI interface, which is exposed on the network. Successful exploitation requires no user interaction beyond the attacker sending the malicious command sequence. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device with the privileges of the DetranCLI process (typically root). This can lead to complete compromise of the router, including disclosure of sensitive data, modification of device configuration, and potential use as a pivot point in the network. [1]

Mitigation

The vendor, Siretta, has not released a patched firmware version as of the advisory publication date (2023-01-26). No workaround is available. The device may be vulnerable to other similar buffer overflows (see related CVEs). Until a fix is released, restrict network access to the DetranCLI interface to trusted administrators only. [1]