CVE-2022-41016

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The flaw specifically resides in the function handling the no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) command template. The issue arises when user-supplied parameters are copied into a fixed-size stack buffer using sprintf without proper bounds checking, leading to a classic buffer overflow (CWE-120) [1].

Exploitation

An attacker must have authenticated access to the DetranCLI interface, which is reachable over the network (e.g., via SSH or console). The attacker sends a specially crafted sequence of requests that supply long strings for the parameters (e.g., name, server, username, passsword) in the vulnerable command template. Because the sprintf function does not validate input lengths, the overflow corrupts adjacent stack memory. No user interaction beyond authentication is required [1].

Impact

Successful exploitation allows the attacker to overwrite the return address and other stack data, leading to arbitrary command execution with root privileges on the device. This results in complete compromise of confidentiality, integrity, and availability (CVSSv3 7.2, AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

As of the publication date (2023-01-26), Siretta has not released a patched firmware version to address this vulnerability. No workarounds have been disclosed. The affected version is G5.0.1.5-210720-141020; users should monitor Siretta's advisory page for updates. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].