CVE-2022-41003

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The bug is specifically within the function that handles the ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null) command template. The parsing logic uses sprintf to copy user-controlled parameters into a fixed-size stack buffer without bounds checking, leading to a classic buffer overflow (CWE-120) [1].

Exploitation

An attacker must have administrative access to the DetranCLI (CLI interface) of the QUARTZ-GOLD router, which is exposed over the network via services such as SSH. With a valid authenticated session, the attacker sends a crafted sequence of commands in the ip nat outside source format, providing oversized strings for the parameters. The sprintf call overwrites adjacent stack memory, corrupting the return address and control flow [1]. No user interaction beyond authentication is required.

Impact

Successful exploitation allows arbitrary command execution on the device with root privileges. The attacker gains full control over the router, enabling information disclosure, modification of configuration, denial of service, or use of the device as a pivot point within the network. The CVSSv3 score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

As of publication date (2023-01-26), no patched firmware version has been released by Siretta. The vendor has been notified by Cisco Talos, but no official fix or workaround has been made available. Users should restrict network access to the management interfaces (e.g., SSH) to trusted hosts only and monitor for unusual CLI activity. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog [1].