Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the '(ddns1|ddns2) hostname WORD' command template.
{"cnvd": [{"lastseen": "2023-03-09T23:25:25", "description": "Siretta QUARTZ-GOLD is a high-speed industrial router from Siretta.Siretta QUARTZ-GOLD version G5.0.1.5-210720-141020 is vulnerable to a buffer overflow vulnerability that could be exploited by attackers to execute arbitrary commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-09T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Buffer Overflow Vulnerability (CNVD-2023-15941)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-40985"], "modified": "2023-03-09T00:00:00", "id": "CNVD-2023-15941", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-15941", "cvss": {"score": 0.0, "vector": "NONE"}}], "talosblog": [{"lastseen": "2023-02-02T20:12:34", "description": "\n\n_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.\n\nThe Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.\n\n### Quartz-Gold Vulnerabilities\n\nSeveral OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. [TALOS-2022-1607](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607>) (CVE-2022-40969) and [TALOS-2022-1612](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612>) (CVE-2022-40220) can be triggered with HTTP requests, while [TALOS-2022-1615](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615>) (CVE-2022-38066), [TALOS-2022-1638](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638>) (CVE-2022-40222) and [TALOS-2022-1640](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640>) (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.\n\nThree directory traversals were recorded in QUARTZ-GOLD, [TALOS-2022-1606](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606>) (CVE-2022-40701) and [TALOS-2022-1637](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637>) (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. [TALOS-2022-1609](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609>) (CVE-2022-38088) can lead to arbitrary file read.\n\nThree stack-based buffer overflows were found: [TALOS-2022-1605](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605>) (CVE-2022-36279) and [TALOS-2022-1608](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608>) (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. [TALOS-2022-1613](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613>) (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.\n\nA heap-based buffer overflow vulnerability was also reported in [TALOS-2022-1639](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639>) (CVE-2022-41991), which can be triggered by a network request.\n\nTwo other vulnerabilities were discovered, including [TALOS-2022-1610](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610>) (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and [TALOS-2022-1611](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611>) (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.\n\n### FreshTomato Vulnerabilities\n\nIn FreshTomato, there is [TALOS-2022-1641](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1641>) (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, [TALOS-2022-1642](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1642>) (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.\n\nCisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to [Cisco's vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\nUsers are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T21:26:14", "type": "talosblog", "title": "Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-36279", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38451", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493"], "modified": "2023-01-26T21:26:14", "id": "TALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6", "href": "https://blog.talosintelligence.com/vulnerability-spotlight-os-command-injection-directory-traversal-and-other-vulnerabilities-found-in-siretta-quartz-gold-and-freshtomato/", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2023-06-03T15:19:40", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1613\n\n## Siretta QUARTZ-GOLD DetranCLI command parsing stack-based buffer overflow vulnerabilities\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-40992,CVE-2022-41018,CVE-2022-41005,CVE-2022-41028,CVE-2022-40990,CVE-2022-40985,CVE-2022-40989,CVE-2022-40991,CVE-2022-40994,CVE-2022-41002,CVE-2022-41012,CVE-2022-41019,CVE-2022-41030,CVE-2022-41011,CVE-2022-41027,CVE-2022-40986,CVE-2022-41007,CVE-2022-41022,CVE-2022-41020,CVE-2022-40995,CVE-2022-40998,CVE-2022-41001,CVE-2022-41006,CVE-2022-41014,CVE-2022-41029,CVE-2022-41010,CVE-2022-40997,CVE-2022-40996,CVE-2022-41016,CVE-2022-40988,CVE-2022-41017,CVE-2022-41004,CVE-2022-41013,CVE-2022-41000,CVE-2022-40999,CVE-2022-41025,CVE-2022-41008,CVE-2022-41015,CVE-2022-41026,CVE-2022-41024,CVE-2022-41009,CVE-2022-41003,CVE-2022-40993,CVE-2022-41021,CVE-2022-40987,CVE-2022-41023\n\n##### SUMMARY\n\nSeveral stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-120 - Buffer Copy without Checking Size of Input (\u2018Classic Buffer Overflow\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router offers a customized router console by the `DetranCLI` binary. From this CLI interface, it is possible to use several functionalities. Many functionalities have a parsing pattern that is vulnerable to stack-based buffer overflow.\n\nThis pattern looks like: `sprintf(stack_buffer, format_string, command_parameter_1, ...)`. The problem is that, in many functions, the `command_parameter_X`\u2019s size is not checked to take into account the size of `stack_buffer`, which can lead to stack-based buffer overflow.\n\nThe `DetranCLI` binary uses command template for each command. Following the relevant template special keyword:\n\n * `WORD` This is a parameter with any sequence of printable characters\n * `CODE` This parameter is similar to `WORD`\n * `A.B.C.D` This parameter represents an IP address\n * `<min_value-max_value>` This is a numerical parameter with a range of possible values, from `min_value` to `max_value`\n * `(choice1|choice2....)` This is a parameter with a set of possible values. The value can be another special keyword, like `WORD` or `<min_value-max_value>`\n\nEach of the above special keyword is going to fill the `char**` array provided as second parameter on each command function. From this point this second argument parameter will be called `argv`. Each special keyword will be inserted in `argv` progressively. For example, for the command:\n \n \n firmwall keyword WORD description (WORD|null)\n \n\nThis function will have as `argv[0]` a sequence of character, and as `argv[1]` either any sequence of characters or the string \u2018null\u2019.\n\nFollowing is the list of vulnerable commands with its details.\n\n#### CVE-2022-40985 - ddnsX hostname\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) hostname WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",\"\",\"\",argv[1],\"0\",\"\",\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40986 - ddnsX mx\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) mx WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",\"\",\"\",\"\",\"0\",argv[1],\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40987 - ddnsX username\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) username WORD password CODE\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",argv[1],argv[2],\"\",\"0\",\"\",\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40988 - ipv6 static dns\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ipv6 static dns WORD WORD WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_260,\"%s %s %s\",*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40989 - bandwidth\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%d<0<0\",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40990 - no bandwidth\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%d<0<0\",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40991 - firmwall domain\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall domain WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40992 - no firmwall domain\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall domain WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(stack_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40993 - firmwall keyword\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall keyword WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40994 - no firmwall keyword\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall keyword WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40995 - firmwall srcmac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%s<%d<%s<%s<%d<%s>\",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],iVar6,argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40996 - no firmwall srcmac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%s<%d<%s<%s<%d<%s\",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],depentent_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40997 - gre index\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n gre index <1-8> destination A.B.C.D/M description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s>\",1,*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40998 - no gre index\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no gre index <1-8> destination A.B.C.D/M description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s\",1,*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40999 - gre index with keepalive\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s<%s<%d<%s<%s<%s>\",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41000 - no gre index with keepalive\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s<%s<%d<%s<%s<%s\",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41001 - icmp check link\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%d<%d<%s\",1,*argv,argv[1],atoi_argv_2,atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41002 - no icmp check link\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%d<%d<%s\",1,*argv,argv[1],atoi_argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41003 - ip nat outside source\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%s\",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41004 - no ip nat outside source\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x40,\"%d<%d<%s<%s<%s<%s<%s\",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41005 - ip static route\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%s\",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41006 - no ip static route\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%s\",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41007 - port redirect protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s<%s>\",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41008 - no port redirect protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s<%s\",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41009 - port triger protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s>\",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41010 - no port triger protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s\",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41011 - schedule link1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],dependent_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41012 - no schedule link1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],dependent_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41013 - static dhcp mac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n if (*argv[1] == '\\x00'){\n format_string = \"%s%s<%s<%s<%s\";\n }\n else{\n format_string = \"%s,%s<%s<%s<%s\";\n } \n sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]); \n \n\n#### CVE-2022-41014 - no static dhcp mac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n if (*argv[1] == '\\x00'){\n format_string = \"%s%s<%s<%s<%s\";\n }\n else{\n format_string = \"%s,%s<%s<%s<%s\";\n } \n sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41015 - vpn basic protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41016 - no vpn basic protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41017 - vpn basic protocol with localip\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41018 - no vpn basic protocol with localip\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41019 - vpn l2tp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41020 - no vpn l2tp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41021 - vpn l2tp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41022 - no vpn l2tp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41023 - vpn pptp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41024 - no vpn pptp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41025 - vpn pptp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41026 - no vpn pptp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41027 - vpn schedule name1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],based_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41028 - no vpn schedule name1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],based_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41029 - wlan filter mac address\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n wlan filter mac address WORD descript WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x20,\"%s%s%s%s%s%s<%s\",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41030 - no wlan filter mac address\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no wlan filter mac address WORD descript WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x20,\"%s%s%s%s%s%s<%s\",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1639\n\nPrevious Report\n\nTALOS-2022-1612\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD DetranCLI command parsing stack-based buffer overflow vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40985", "CVE-2022-40986", "CVE-2022-40987", "CVE-2022-40988", "CVE-2022-40989", "CVE-2022-40990", "CVE-2022-40991", "CVE-2022-40992", "CVE-2022-40993", "CVE-2022-40994", "CVE-2022-40995", "CVE-2022-40996", "CVE-2022-40997", "CVE-2022-40998", "CVE-2022-40999", "CVE-2022-41000", "CVE-2022-41001", "CVE-2022-41002", "CVE-2022-41003", "CVE-2022-41004", "CVE-2022-41005", "CVE-2022-41006", "CVE-2022-41007", "CVE-2022-41008", "CVE-2022-41009", "CVE-2022-41010", "CVE-2022-41011", "CVE-2022-41012", "CVE-2022-41013", "CVE-2022-41014", "CVE-2022-41015", "CVE-2022-41016", "CVE-2022-41017", "CVE-2022-41018", "CVE-2022-41019", "CVE-2022-41020", "CVE-2022-41021", "CVE-2022-41022", "CVE-2022-41023", "CVE-2022-41024", "CVE-2022-41025", "CVE-2022-41026", "CVE-2022-41027", "CVE-2022-41028", "CVE-2022-41029", "CVE-2022-41030"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1613", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2022-40985
