CVE-2022-41017

Vulnerability

The vulnerability resides in the DetranCLI command parsing of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. Specifically, the function handling the vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D command uses sprintf to copy user-supplied parameters into a fixed-size stack buffer without bounds checking, leading to a stack-based buffer overflow [1]. The code path is reachable when an authenticated user issues this command via the CLI.

Exploitation

An attacker requires network access to the router and valid administrative credentials (privilege level sufficient to execute CLI commands). The attacker sends a sequence of requests, crafting the command parameters with overly long strings to overflow the stack buffer. No user interaction beyond the attacker's own actions is needed. The overflow overwrites the return address and other stack data, enabling control of execution flow.

Impact

Successful exploitation allows arbitrary command execution on the router with root privileges. The attacker can fully compromise the device, leading to disclosure of sensitive information, modification of configuration, or denial of service. The CVSSv3 score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H [1].

Mitigation

As of the advisory publication date (2023-01-26), no patched firmware version has been released by Siretta. The affected version is G5.0.1.5-210720-141020. Users should restrict network access to the router's management interfaces and apply the principle of least privilege for CLI access. Monitor vendor updates for a fixed release. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the advisory date.