Lucene search

K
talosblogKri DontjeTALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6
HistoryJan 26, 2023 - 9:26 p.m.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

2023-01-2621:26:14
Kri Dontje
blog.talosintelligence.com
12

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities.

Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.

The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.

Quartz-Gold Vulnerabilities

Several OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. TALOS-2022-1607 (CVE-2022-40969) and TALOS-2022-1612 (CVE-2022-40220) can be triggered with HTTP requests, while TALOS-2022-1615 (CVE-2022-38066), TALOS-2022-1638 (CVE-2022-40222) and TALOS-2022-1640 (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.

Three directory traversals were recorded in QUARTZ-GOLD, TALOS-2022-1606 (CVE-2022-40701) and TALOS-2022-1637 (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. TALOS-2022-1609 (CVE-2022-38088) can lead to arbitrary file read.

Three stack-based buffer overflows were found: TALOS-2022-1605 (CVE-2022-36279) and TALOS-2022-1608 (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. TALOS-2022-1613 (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.

A heap-based buffer overflow vulnerability was also reported in TALOS-2022-1639 (CVE-2022-41991), which can be triggered by a network request.

Two other vulnerabilities were discovered, including TALOS-2022-1610 (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and TALOS-2022-1611 (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.

FreshTomato Vulnerabilities

In FreshTomato, there is TALOS-2022-1641 (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, TALOS-2022-1642 (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.

Cisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to Cisco's vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related for TALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6