CVE-2022-41018

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The flaw resides in the function that processes the no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D command template. The command parameters are copied into a fixed-size stack buffer using sprintf without proper bounds checking, leading to a buffer overflow when an attacker supplies overly long values. [1]

Exploitation

An attacker must have authenticated access to the router's CLI with high privileges (administrative level). By sending a specially crafted sequence of commands containing excessively long parameters for the vulnerable command template, the attacker can trigger a stack-based buffer overflow. The overflow overwrites adjacent stack memory, including the return address, allowing the attacker to hijack execution flow. [1]

Impact

Successful exploitation enables arbitrary command execution on the device with the privileges of the DetranCLI process, which typically runs with root-level access. This results in a complete compromise of confidentiality, integrity, and availability (CIA) of the router. The CVSS v3 score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. [1]

Mitigation

As of the publication date (January 26, 2023), no firmware update or patch has been released by Siretta to address this vulnerability. No official workaround is documented. Users are advised to restrict network access to the CLI interface and monitor for future firmware updates. The device is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1]