CVE-2022-41020

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The flaw resides in the function that handles the no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) command template. The vulnerability is caused by the use of sprintf() without proper bounds checking, allowing an attacker to overflow a stack buffer by supplying an excessively long parameter value [1].

Exploitation

An attacker must have network access to the router and possess high privileges (e.g., administrative credentials) to interact with the DetranCLI interface. By sending a sequence of specially crafted network packets containing an overly long parameter in the vulnerable command template, the attacker can trigger the buffer overflow. No user interaction beyond authentication is required [1].

Impact

Successful exploitation results in arbitrary command execution on the device with the privileges of the DetranCLI process, which typically runs with root-level access. This leads to full compromise of confidentiality, integrity, and availability of the router (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

As of the publication date (2023-01-26), no official patch or firmware update has been released by Siretta to address this vulnerability. The advisory does not provide any workarounds. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. Users should monitor vendor communications for future updates and restrict administrative access to trusted networks [1].