CVE-2022-40999

Vulnerability

Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The flaw resides in the function that manages the gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null) command template. The use of sprintf without proper bounds checking on command parameters leads to a classic buffer overflow (CWE-120) [1].

Exploitation

An attacker must have administrative privileges (PR:H) to access the DetranCLI interface over the network. By sending a sequence of specially-crafted network packets containing oversized parameter values for the vulnerable gre command template, the attacker can overflow a stack buffer. No user interaction beyond authenticated access is required, and the attack can be carried out over the network (AV:N) with low complexity (AC:L) [1].

Impact

Successful exploitation results in arbitrary command execution with the privileges of the affected process (likely root on the device). The CVSSv3 score of 7.2 indicates high impact on confidentiality, integrity, and availability (C:H/I:H/A:H) [1]. An attacker could fully compromise the router, leading to data exfiltration, device takeover, or disruption of service.

Mitigation

As of the publication date (2023-01-26), no patched firmware version has been disclosed by Siretta. Users are advised to restrict administrative access to trusted networks only and monitor vendor advisories for a future update. The product is confirmed vulnerable by Cisco Talos [1]; no workaround is provided in the available references.