CVE-2022-41021

Vulnerability

The vulnerability exists in the DetranCLI command parsing functionality of the Siretta QUARTZ-GOLD industrial router, specifically in firmware version G5.0.1.5-210720-141020. The flaw is a stack-based buffer overflow in the function handling the vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD command template. The overflow occurs during sprintf operations where user-supplied parameters are copied into a fixed-size stack buffer without proper bounds checking, as described in [1].

Exploitation

An attacker must first obtain administrative access to the router's CLI (e.g., via SSH or console) to reach the vulnerable command parser. With privileged access, the attacker can send a sequence of crafted requests that supply excessively long parameters for fields like the tunnel name (WORD) or the password value. The sprintf function then writes beyond the allocated stack buffer, overwriting adjacent memory. This can corrupt the stack and allow redirection of execution flow, as detailed in [1].

Impact

Successful exploitation enables arbitrary command execution with root privileges on the router. This gives the attacker full control over the device, including the ability to reconfigure network settings, intercept traffic, install persistent malware, or pivot to other devices on the network. The CVSSv3 score is 7.2, indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

Siretta has not yet released a patched firmware version for this vulnerability as of the publication date. Users are advised to restrict administrative access to the router to trusted networks only, use strong passwords, and monitor for suspicious activity. The vulnerable version is G5.0.1.5-210720-141020; upgrading to a fixed release when available is the recommended mitigation. This vulnerability is not currently listed in the Known Exploited Vulnerabilities (KEV) catalog.