CVE-2022-41022

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The flaw resides in the function that handles the no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD command template. The overflow occurs because user-supplied parameters are copied into a fixed-size stack buffer via sprintf without proper bounds checking, allowing an attacker to overwrite adjacent memory [1].

Exploitation

An attacker must first authenticate to the router's CLI with privileged access (CVSSv3 base score 7.2, requiring high privileges). The attacker then sends a specially-crafted network packet containing a sequence of requests that trigger the buffer overflow. By providing an overly long parameter value in the vulnerable command template, the attacker corrupts the stack and can redirect execution flow [1].

Impact

Successful exploitation results in arbitrary command execution with root privileges on the device. This leads to a complete compromise of confidentiality, integrity, and availability (CIA) of the affected router [1].

Mitigation

As of the advisory publication date (2023-01-26), no patched firmware version has been released by Siretta. The confirmed vulnerable version is G5.0.1.5-210720-141020. Users are advised to contact Siretta for updates and to restrict network access to the CLI interface as a workaround. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].