CVE-2022-42493

Vulnerability

An OS command injection vulnerability exists in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. The vulnerability resides in the m2m_parse_router_config function, which is used by several commands including DOWNLOAD_INFO. The function constructs an nvram set command using user-supplied input without proper sanitization, leading to arbitrary command execution [1]. The vulnerable function is reachable through a UDP-based network service exposed by the m2m binary [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially-crafted UDP packet to the device on the port where the m2m service listens. The attack requires no authentication and no user interaction, and can be performed over the network [1]. The malicious input is passed to the m2m_parse_router_config function, which then constructs and executes an OS command via system() [1].

Impact

Successful exploitation allows an unauthenticated remote attacker to execute arbitrary operating system commands on the device with the privileges of the m2m process (typically root) [1]. This can lead to full compromise of the device, including data disclosure, modification, and denial of service [1].

Mitigation

As of the publication date (2023-01-26), no patched version has been released by Siretta. The vendor confirmed the vulnerability but a fix timeline is unknown [1]. Users should restrict network access to the m2m UDP service to trusted hosts only as a workaround [1]. If the m2m feature is not required, it should be disabled.