Headline
CVE-2022-41030: TALOS-2022-1613 || Cisco Talos Intelligence Group
Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the ‘no wlan filter mac address WORD descript WORD’ command template.
CVE-2022-41024,CVE-2022-41022,CVE-2022-41018,CVE-2022-41017,CVE-2022-40990,CVE-2022-41008,CVE-2022-41012,CVE-2022-40998,CVE-2022-40986,CVE-2022-41013,CVE-2022-40993,CVE-2022-41010,CVE-2022-40997,CVE-2022-40999,CVE-2022-41011,CVE-2022-41025,CVE-2022-41026,CVE-2022-41002,CVE-2022-41001,CVE-2022-41021,CVE-2022-41030,CVE-2022-41005,CVE-2022-40985,CVE-2022-41020,CVE-2022-41009,CVE-2022-41027,CVE-2022-40991,CVE-2022-41029,CVE-2022-40996,CVE-2022-41015,CVE-2022-40987,CVE-2022-41019,CVE-2022-41006,CVE-2022-41014,CVE-2022-40995,CVE-2022-41007,CVE-2022-40989,CVE-2022-40988,CVE-2022-40992,CVE-2022-41003,CVE-2022-41016,CVE-2022-41000,CVE-2022-41004,CVE-2022-41028,CVE-2022-40994,CVE-2022-41023
SUMMARY
Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
PRODUCT URLS
QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/
CVSSv3 SCORE
7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
DETAILS
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD router offers a customized router console by the DetranCLI binary. From this CLI interface, it is possible to use several functionalities. Many functionalities have a parsing pattern that is vulnerable to stack-based buffer overflow.
This pattern looks like: sprintf(stack_buffer, format_string, command_parameter_1, …). The problem is that, in many functions, the command_parameter_X’s size is not checked to take into account the size of stack_buffer, which can lead to stack-based buffer overflow.
The DetranCLI binary uses command template for each command. Following the relevant template special keyword:
- WORD This is a parameter with any sequence of printable characters
- CODE This parameter is similar to WORD
- A.B.C.D This parameter represents an IP address
- <min_value-max_value> This is a numerical parameter with a range of possible values, from min_value to max_value
- (choice1|choice2…) This is a parameter with a set of possible values. The value can be another special keyword, like WORD or <min_value-max_value>
Each of the above special keyword is going to fill the char** array provided as second parameter on each command function. From this point this second argument parameter will be called argv. Each special keyword will be inserted in argv progressively. For example, for the command:
firmwall keyword WORD description (WORD|null)
This function will have as argv[0] a sequence of character, and as argv[1] either any sequence of characters or the string ‘null’.
Following is the list of vulnerable commands with its details.
CVE-2022-40985 - ddnsX hostname
This stack-based buffer overflow can be reached using the following command template:
(ddns1|ddns2) hostname WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","","","",argv[1],"0","","0","");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40986 - ddnsX mx
This stack-based buffer overflow can be reached using the following command template:
(ddns1|ddns2) mx WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","","","","","0",argv[1],"0","");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40987 - ddnsX username
This stack-based buffer overflow can be reached using the following command template:
(ddns1|ddns2) username WORD password CODE
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","",argv[1],argv[2],"","0","","0","");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40988 - ipv6 static dns
This stack-based buffer overflow can be reached using the following command template:
ipv6 static dns WORD WORD WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_260,"%s %s %s",*argv,argv[1],argv[2]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40989 - bandwidth
This stack-based buffer overflow can be reached using the following command template:
bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%s<%s<%s<%s<%s<%d<0<0",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40990 - no bandwidth
This stack-based buffer overflow can be reached using the following command template:
no bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%s<%s<%s<%s<%s<%d<0<0",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40991 - firmwall domain
This stack-based buffer overflow can be reached using the following command template:
firmwall domain WORD description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40992 - no firmwall domain
This stack-based buffer overflow can be reached using the following command template:
no firmwall domain WORD description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(stack_0x80,"%d<%s<%s",1,*argv,argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40993 - firmwall keyword
This stack-based buffer overflow can be reached using the following command template:
firmwall keyword WORD description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40994 - no firmwall keyword
This stack-based buffer overflow can be reached using the following command template:
no firmwall keyword WORD description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40995 - firmwall srcmac
This stack-based buffer overflow can be reached using the following command template:
firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%s<%d<%s<%s<%d<%s>",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],iVar6,argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40996 - no firmwall srcmac
This stack-based buffer overflow can be reached using the following command template:
no firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%s<%d<%s<%s<%d<%s",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],depentent_on_argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40997 - gre index
This stack-based buffer overflow can be reached using the following command template:
gre index <1-8> destination A.B.C.D/M description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%s>",1,*argv,argv[1],argv[2]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40998 - no gre index
This stack-based buffer overflow can be reached using the following command template:
no gre index <1-8> destination A.B.C.D/M description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%s",1,*argv,argv[1],argv[2]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-40999 - gre index with keepalive
This stack-based buffer overflow can be reached using the following command template:
gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%s<%s<%d<%s<%s<%s>",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41000 - no gre index with keepalive
This stack-based buffer overflow can be reached using the following command template:
no gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%s<%s<%d<%s<%s<%s",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41001 - icmp check link
This stack-based buffer overflow can be reached using the following command template:
icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%d<%d<%s",1,*argv,argv[1],atoi_argv_2,atoi_argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41002 - no icmp check link
This stack-based buffer overflow can be reached using the following command template:
no icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%s<%s<%d<%d<%s",1,*argv,argv[1],atoi_argv[2],atoi_argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41003 - ip nat outside source
This stack-based buffer overflow can be reached using the following command template:
ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%s",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41004 - no ip nat outside source
This stack-based buffer overflow can be reached using the following command template:
no ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x40,"%d<%d<%s<%s<%s<%s<%s",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41005 - ip static route
This stack-based buffer overflow can be reached using the following command template:
ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%s<%s<%s<%s<%s<%s",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41006 - no ip static route
This stack-based buffer overflow can be reached using the following command template:
no ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%s<%s<%s<%s<%s<%s",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41007 - port redirect protocol
This stack-based buffer overflow can be reached using the following command template:
port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%d<%s<%s<%s<%s>",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41008 - no port redirect protocol
This stack-based buffer overflow can be reached using the following command template:
no port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%d<%s<%s<%s<%s",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41009 - port triger protocol
This stack-based buffer overflow can be reached using the following command template:
port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%d<%s<%s<%s>",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41010 - no port triger protocol
This stack-based buffer overflow can be reached using the following command template:
no port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x80,"%d<%d<%s<%s<%s",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41011 - schedule link1
This stack-based buffer overflow can be reached using the following command template:
schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],dependent_on_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41012 - no schedule link1
This stack-based buffer overflow can be reached using the following command template:
no schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],dependent_on_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41013 - static dhcp mac
This stack-based buffer overflow can be reached using the following command template:
static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
if (*argv[1] == '\x00'){
format_string = "%s%s<%s<%s<%s";
}
else{
format_string = "%s,%s<%s<%s<%s";
}
sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]);
CVE-2022-41014 - no static dhcp mac
This stack-based buffer overflow can be reached using the following command template:
no static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)
If the command is issued correctly, the following code will be reached:
if (*argv[1] == '\x00'){
format_string = "%s%s<%s<%s<%s";
}
else{
format_string = "%s,%s<%s<%s<%s";
}
sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41015 - vpn basic protocol
This stack-based buffer overflow can be reached using the following command template:
vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41016 - no vpn basic protocol
This stack-based buffer overflow can be reached using the following command template:
no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41017 - vpn basic protocol with localip
This stack-based buffer overflow can be reached using the following command template:
vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41018 - no vpn basic protocol with localip
This stack-based buffer overflow can be reached using the following command template:
no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41019 - vpn l2tp advanced name
This stack-based buffer overflow can be reached using the following command template:
vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41020 - no vpn l2tp advanced name
This stack-based buffer overflow can be reached using the following command template:
no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41021 - vpn l2tp advanced name with options
This stack-based buffer overflow can be reached using the following command template:
vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41022 - no vpn l2tp advanced name with options
This stack-based buffer overflow can be reached using the following command template:
no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41023 - vpn pptp advanced name
This stack-based buffer overflow can be reached using the following command template:
vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41024 - no vpn pptp advanced name
This stack-based buffer overflow can be reached using the following command template:
no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],"");
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41025 - vpn pptp advanced name with options
This stack-based buffer overflow can be reached using the following command template:
vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41026 - no vpn pptp advanced name with options
This stack-based buffer overflow can be reached using the following command template:
no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41027 - vpn schedule name1
This stack-based buffer overflow can be reached using the following command template:
vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],based_on_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41028 - no vpn schedule name1
This stack-based buffer overflow can be reached using the following command template:
no vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],based_on_argv[2],argv[3]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41029 - wlan filter mac address
This stack-based buffer overflow can be reached using the following command template:
wlan filter mac address WORD descript WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x20,"%s%s%s%s%s%s<%s",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
CVE-2022-41030 - no wlan filter mac address
This stack-based buffer overflow can be reached using the following command template:
no wlan filter mac address WORD descript WORD
If the command is issued correctly, the following code will be reached:
sprintf(buff_0x20,"%s%s%s%s%s%s<%s",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);
The function executing this code is vulnerable to a stack-based buffer overflow.
TIMELINE
2022-10-14 - Initial Vendor Contact
2022-10-20 - Vendor Disclosure
2022-11-24 - Vendor Patch Release
2023-01-26 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and