CVE-2022-41009

Vulnerability

The vulnerability is a stack-based buffer overflow in the DetranCLI command parsing functionality of the Siretta QUARTZ-GOLD router, specifically in the function handling the port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD command template. Affected version is G5.0.1.5-210720-141020. The overflow occurs due to the use of sprintf with user-controlled parameters without proper bounds checking, leading to a buffer overflow on the stack. [1]

Exploitation

An attacker needs to have authenticated access to the DetranCLI interface (SSH, console, or other management channel). The attacker sends a crafted network packet containing an overly long parameter in the description field of the port triger command. The overflow happens when the command is parsed, overwriting adjacent stack memory. A sequence of requests may be required to trigger the specific vulnerable code path. [1]

Impact

Successful exploitation results in arbitrary command execution with the privileges of the DetranCLI process (likely root). This allows the attacker to fully compromise the router, including modifying configuration, exfiltrating data, or pivoting to other internal systems. The CVSSv3 score is 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). [1]

Mitigation

As of the publication date (2023-01-26), no patch or updated firmware version had been released by Siretta. No workarounds are documented. Users should restrict administrative access to trusted networks and monitor for unusual activity. The vulnerability is not listed in CISA KEV as of this writing.