CVE-2022-41027

Vulnerability

A stack-based buffer overflow vulnerability exists in the vpn schedule command parsing functionality of the DetranCLI binary in Siretta QUARTZ-GOLD firmware version G5.0.1.5-210720-141020 [1]. The flaw is triggered when processing the command template 'vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)'. The function uses sprintf to copy user-supplied parameters into a fixed-size stack buffer without proper bounds checking [1].

Exploitation

An attacker must first authenticate to the router's CLI (privilege level required) [1]. The attacker then sends a specially crafted sequence of requests containing an overly long parameter (such as a long WORD) for the name1, name2, or description fields in the vulnerable command [1]. This overflows the stack buffer, overwriting adjacent memory.

Impact

Successful exploitation allows the attacker to achieve arbitrary command execution with root privileges on the device [1]. This results in a complete compromise of confidentiality, integrity, and availability (CVSS 7.2) [1].

Mitigation

As of the publication date (2023-01-26), no official patch has been released by Siretta for QUARTZ-GOLD G5.0.1.5-210720-141020 [1]. Users should restrict network access to the router's administrative interfaces and monitor advisories from the vendor for future firmware updates. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of now.