CVE-2022-41023

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The flaw resides in the function that handles the vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) command template. When processing user-supplied parameters, the code uses sprintf to write into a fixed-size stack buffer without proper bounds checking, leading to a buffer overflow. An attacker can send a specially crafted network packet to trigger this vulnerability. [1]

Exploitation

An attacker must first authenticate with administrative privileges to access the DetranCLI interface. Once authenticated, the attacker can send a sequence of requests that include excessively long values for the mtu or mru parameters (range 128-16384) within the vulnerable command template. The lack of input length validation causes the stack buffer to overflow. No user interaction beyond initial authentication is required. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device with root privileges. This leads to complete compromise of the router's confidentiality, integrity, and availability. The attacker can potentially install persistent backdoors, exfiltrate network traffic, or disrupt connectivity. [1]

Mitigation

As of the publication date (2023-01-26), no fixed firmware version has been released by Siretta. The vendor has confirmed the vulnerability in version G5.0.1.5-210720-141020. Administrators should restrict network access to the router's management interface and monitor for suspicious activity. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog at the time of writing. [1]