CVE-2022-41011

Vulnerability

The schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null) command parsing in the DetranCLI binary on Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020 contains multiple stack-based buffer overflow vulnerabilities (CWE-120). The flaw lies in the use of sprintf to copy user-supplied command parameters into fixed-size stack buffers without proper bounds checking, allowing an overflow to overwrite adjacent memory [1].

Exploitation

An attacker must first authenticate to the router's CLI (via SSH, console, or other means) and have at least administrative privileges (CVSS v3 Privileges Required: High). By sending a specially crafted sequence of requests that supply an overly long string for WORD parameters (link1 or link2) or the description field, they can trigger a stack-based buffer overflow [1]. The overflow corrupts the return address or function pointers, enabling control of program execution.

Impact

Successful exploitation yields arbitrary command execution on the router with root privileges. The attacker can thus fully compromise the device, including reading or modifying data, installing persistent backdoors, or leveraging the router as a pivot point within the industrial network. The vulnerability is assigned a CVSS v3 score of 7.2 (High) [1].

Mitigation

As of the publication date (2023-01-26), no patched firmware version has been released by Siretta. The only known vulnerable version is G5.0.1.5-210720-141020. Talos has disclosed the findings to the vendor, but no official advisory or workaround has been provided [1]. Users should restrict CLI access to trusted administrators, monitor for anomalous commands, and contact Siretta for a firmware update.