Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)' command template.
{"cnvd": [{"lastseen": "2023-03-15T05:24:27", "description": "Siretta QUARTZ-GOLD is a high-speed industrial router from Siretta.Siretta QUARTZ-GOLD version G5.0.1.5-210720-141020 is vulnerable to a buffer overflow vulnerability that could be exploited by attackers to execute arbitrary commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-09T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Buffer Overflow Vulnerability (CNVD-2023-17043)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-41016"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17043", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17043", "cvss": {"score": 0.0, "vector": "NONE"}}], "prion": [{"lastseen": "2023-11-20T23:50:45", "description": "Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)' command template.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "Stack overflow", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41016"], "modified": "2023-10-18T17:44:00", "id": "PRION:CVE-2022-41016", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2022-41016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "talos": [{"lastseen": "2023-12-02T18:55:50", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1613\n\n## Siretta QUARTZ-GOLD DetranCLI command parsing stack-based buffer overflow vulnerabilities\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-40992,CVE-2022-41018,CVE-2022-41005,CVE-2022-41028,CVE-2022-40990,CVE-2022-40985,CVE-2022-40989,CVE-2022-40991,CVE-2022-40994,CVE-2022-41002,CVE-2022-41012,CVE-2022-41019,CVE-2022-41030,CVE-2022-41011,CVE-2022-41027,CVE-2022-40986,CVE-2022-41007,CVE-2022-41022,CVE-2022-41020,CVE-2022-40995,CVE-2022-40998,CVE-2022-41001,CVE-2022-41006,CVE-2022-41014,CVE-2022-41029,CVE-2022-41010,CVE-2022-40997,CVE-2022-40996,CVE-2022-41016,CVE-2022-40988,CVE-2022-41017,CVE-2022-41004,CVE-2022-41013,CVE-2022-41000,CVE-2022-40999,CVE-2022-41025,CVE-2022-41008,CVE-2022-41015,CVE-2022-41026,CVE-2022-41024,CVE-2022-41009,CVE-2022-41003,CVE-2022-40993,CVE-2022-41021,CVE-2022-40987,CVE-2022-41023\n\n##### SUMMARY\n\nSeveral stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-120 - Buffer Copy without Checking Size of Input (\u2018Classic Buffer Overflow\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router offers a customized router console by the `DetranCLI` binary. From this CLI interface, it is possible to use several functionalities. Many functionalities have a parsing pattern that is vulnerable to stack-based buffer overflow.\n\nThis pattern looks like: `sprintf(stack_buffer, format_string, command_parameter_1, ...)`. The problem is that, in many functions, the `command_parameter_X`\u2019s size is not checked to take into account the size of `stack_buffer`, which can lead to stack-based buffer overflow.\n\nThe `DetranCLI` binary uses command template for each command. Following the relevant template special keyword:\n\n * `WORD` This is a parameter with any sequence of printable characters\n * `CODE` This parameter is similar to `WORD`\n * `A.B.C.D` This parameter represents an IP address\n * `<min_value-max_value>` This is a numerical parameter with a range of possible values, from `min_value` to `max_value`\n * `(choice1|choice2....)` This is a parameter with a set of possible values. The value can be another special keyword, like `WORD` or `<min_value-max_value>`\n\nEach of the above special keyword is going to fill the `char**` array provided as second parameter on each command function. From this point this second argument parameter will be called `argv`. Each special keyword will be inserted in `argv` progressively. For example, for the command:\n \n \n firmwall keyword WORD description (WORD|null)\n \n\nThis function will have as `argv[0]` a sequence of character, and as `argv[1]` either any sequence of characters or the string \u2018null\u2019.\n\nFollowing is the list of vulnerable commands with its details.\n\n#### CVE-2022-40985 - ddnsX hostname\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) hostname WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",\"\",\"\",argv[1],\"0\",\"\",\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40986 - ddnsX mx\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) mx WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",\"\",\"\",\"\",\"0\",argv[1],\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40987 - ddnsX username\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) username WORD password CODE\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",argv[1],argv[2],\"\",\"0\",\"\",\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40988 - ipv6 static dns\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ipv6 static dns WORD WORD WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_260,\"%s %s %s\",*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40989 - bandwidth\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%d<0<0\",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40990 - no bandwidth\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%d<0<0\",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40991 - firmwall domain\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall domain WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40992 - no firmwall domain\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall domain WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(stack_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40993 - firmwall keyword\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall keyword WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40994 - no firmwall keyword\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall keyword WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40995 - firmwall srcmac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%s<%d<%s<%s<%d<%s>\",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],iVar6,argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40996 - no firmwall srcmac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%s<%d<%s<%s<%d<%s\",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],depentent_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40997 - gre index\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n gre index <1-8> destination A.B.C.D/M description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s>\",1,*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40998 - no gre index\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no gre index <1-8> destination A.B.C.D/M description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s\",1,*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40999 - gre index with keepalive\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s<%s<%d<%s<%s<%s>\",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41000 - no gre index with keepalive\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s<%s<%d<%s<%s<%s\",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41001 - icmp check link\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%d<%d<%s\",1,*argv,argv[1],atoi_argv_2,atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41002 - no icmp check link\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%d<%d<%s\",1,*argv,argv[1],atoi_argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41003 - ip nat outside source\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%s\",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41004 - no ip nat outside source\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x40,\"%d<%d<%s<%s<%s<%s<%s\",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41005 - ip static route\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%s\",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41006 - no ip static route\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%s\",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41007 - port redirect protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s<%s>\",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41008 - no port redirect protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s<%s\",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41009 - port triger protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s>\",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41010 - no port triger protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s\",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41011 - schedule link1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],dependent_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41012 - no schedule link1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],dependent_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41013 - static dhcp mac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n if (*argv[1] == '\\x00'){\n format_string = \"%s%s<%s<%s<%s\";\n }\n else{\n format_string = \"%s,%s<%s<%s<%s\";\n } \n sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]); \n \n\n#### CVE-2022-41014 - no static dhcp mac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n if (*argv[1] == '\\x00'){\n format_string = \"%s%s<%s<%s<%s\";\n }\n else{\n format_string = \"%s,%s<%s<%s<%s\";\n } \n sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41015 - vpn basic protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41016 - no vpn basic protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41017 - vpn basic protocol with localip\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41018 - no vpn basic protocol with localip\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41019 - vpn l2tp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41020 - no vpn l2tp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41021 - vpn l2tp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41022 - no vpn l2tp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41023 - vpn pptp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41024 - no vpn pptp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41025 - vpn pptp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41026 - no vpn pptp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41027 - vpn schedule name1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],based_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41028 - no vpn schedule name1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],based_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41029 - wlan filter mac address\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n wlan filter mac address WORD descript WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x20,\"%s%s%s%s%s%s<%s\",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41030 - no wlan filter mac address\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no wlan filter mac address WORD descript WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x20,\"%s%s%s%s%s%s<%s\",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1639\n\nPrevious Report\n\nTALOS-2022-1612\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD DetranCLI command parsing stack-based buffer overflow vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40985", "CVE-2022-40986", "CVE-2022-40987", "CVE-2022-40988", "CVE-2022-40989", "CVE-2022-40990", "CVE-2022-40991", "CVE-2022-40992", "CVE-2022-40993", "CVE-2022-40994", "CVE-2022-40995", "CVE-2022-40996", "CVE-2022-40997", "CVE-2022-40998", "CVE-2022-40999", "CVE-2022-41000", "CVE-2022-41001", "CVE-2022-41002", "CVE-2022-41003", "CVE-2022-41004", "CVE-2022-41005", "CVE-2022-41006", "CVE-2022-41007", "CVE-2022-41008", "CVE-2022-41009", "CVE-2022-41010", "CVE-2022-41011", "CVE-2022-41012", "CVE-2022-41013", "CVE-2022-41014", "CVE-2022-41015", "CVE-2022-41016", "CVE-2022-41017", "CVE-2022-41018", "CVE-2022-41019", "CVE-2022-41020", "CVE-2022-41021", "CVE-2022-41022", "CVE-2022-41023", "CVE-2022-41024", "CVE-2022-41025", "CVE-2022-41026", "CVE-2022-41027", "CVE-2022-41028", "CVE-2022-41029", "CVE-2022-41030"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1613", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2022-41016
