CVE-2022-41000

Vulnerability

Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD version G5.0.1.5-210720-141020. The specific flaw resides in the function that manages the no gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null) command template. The vulnerability is caused by the use of sprintf with a fixed-size stack buffer and user-supplied command parameters without proper bounds checking, leading to a classic stack-based overflow (CWE-120) [1].

Exploitation

An attacker must have administrative (privileged) access to the DetranCLI interface, which is reachable over the network via SSH, telnet, or the console port. The attacker sends a crafted sequence of command parameters to the vulnerable no gre index command. The overflow occurs when an overly long parameter (e.g., the description field) is written into the stack buffer via sprintf, overwriting return addresses and other critical data. No user interaction beyond authenticating as a privileged user is required [1].

Impact

Successful exploitation results in arbitrary command execution with root privileges on the router. This allows the attacker to fully compromise the device, including the ability to read sensitive data, modify configuration, launch further attacks within the network, or render the device unusable. The CVSSv3 score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

As of the publication date (2023-01-26), version G5.0.1.5-210720-141020 is confirmed vulnerable. The vendor Siretta was notified per the coordinated disclosure by Talos, but no fixed version or workaround is explicitly mentioned in the available references [1]. Users should monitor for firmware updates and restrict access to the administrative interface (e.g., via firewall rules, VLAN segmentation) until a patch is available.