CVE-2022-41024

Vulnerability

A stack-based buffer overflow exists in the DetranCLI command parsing of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The vulnerability is located in the function that processes the no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) command template. Improper bounds checking when copying user-supplied parameters into a fixed-size stack buffer allows an overflow to occur. The affected command is accessible via the router's CLI, which is reachable over the network through services such as SSH or the console port [1].

Exploitation

An attacker must have administrative-level access to the CLI (e.g., via SSH with valid credentials) to send the specially crafted command. The attacker supplies oversized values for the WORD, mtu, mru, or other parameters in the no vpn pptp advanced ... command. The sprintf(stack_buffer, ...) call copies these arguments without adequate length validation, causing the buffer overflow [1].

Impact

Successful exploitation leads to arbitrary command execution with root privileges on the device. Since the CLI runs with high privileges, an attacker can fully compromise the router, potentially gaining persistent access, modifying configurations, or leveraging the device for further network attacks [1].

Mitigation

Siretta has not released a patched firmware version as of the publication date. The vendor was contacted by Cisco Talos but no fix is available. Users should restrict CLI access to trusted administrators, monitor for anomalous command sequences, and consider disabling the VPN PPTP advanced command if not needed. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of writing [1].