CVE-2022-41026

Vulnerability

The vulnerability is a stack-based buffer overflow in the DetranCLI command parsing of Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020. Specifically, the function handling the no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD command uses sprintf without proper bounds checking, allowing a crafted input to overflow a stack buffer. [1]

Exploitation

An attacker must have privileged access to the CLI (i.e., authenticated with high privileges) to send malicious commands. By providing excessively long values for parameters such as the name or options fields, the attacker can trigger the buffer overflow. The vulnerability is exploitable remotely via network, requiring valid credentials with administrative rights. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the device with root privileges, leading to full compromise of confidentiality, integrity, and availability. The CVSS score is 7.2 (High) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. [1]

Mitigation

As of the advisory publication date (2023-01-26), no patch was available. The vendor was notified but did not provide a fix. Users should limit CLI access to trusted users and consider network segmentation. The product may be end-of-life; consult Siretta for updates. [1]