CVE-2022-41025

Vulnerability

A stack-based buffer overflow vulnerability exists in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. The flaw resides in the function that handles the vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD command template. The vulnerability is of type CWE-120 (Buffer Copy without Checking Size of Input) and occurs when user-controlled parameters are copied into a fixed-size stack buffer using sprintf() without proper length validation [1].

Exploitation

An attacker must first authenticate to the DetranCLI interface with high privileges (PR:H per CVSS). Once authenticated, the attacker sends a sequence of specially crafted network packets containing oversized values for one or more of the command parameters (e.g., name, mtu, mru, options). The sprintf() call copies these values into a stack buffer, causing a buffer overflow that overwrites adjacent memory [1]. No user interaction beyond authentication is required.

Impact

Successful exploitation allows the attacker to achieve arbitrary command execution with root privileges. The CVSSv3 score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates complete compromise of confidentiality, integrity, and availability on the affected device [1].

Mitigation

As of the publication date (2023-01-26), the vendor had not released a patched firmware version. Users should monitor Siretta's official channels for updates. If no patch becomes available, restricting access to the DetranCLI interface (e.g., via firewall rules and strong authentication) is the only workaround. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. [1]