Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41030: TALOS-2022-1613 || Cisco Talos Intelligence Group

Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the ‘no wlan filter mac address WORD descript WORD’ command template.

CVE
#vulnerability#mac#cisco#intel#buffer_overflow#auth#ssh

CVE-2022-41024,CVE-2022-41022,CVE-2022-41018,CVE-2022-41017,CVE-2022-40990,CVE-2022-41008,CVE-2022-41012,CVE-2022-40998,CVE-2022-40986,CVE-2022-41013,CVE-2022-40993,CVE-2022-41010,CVE-2022-40997,CVE-2022-40999,CVE-2022-41011,CVE-2022-41025,CVE-2022-41026,CVE-2022-41002,CVE-2022-41001,CVE-2022-41021,CVE-2022-41030,CVE-2022-41005,CVE-2022-40985,CVE-2022-41020,CVE-2022-41009,CVE-2022-41027,CVE-2022-40991,CVE-2022-41029,CVE-2022-40996,CVE-2022-41015,CVE-2022-40987,CVE-2022-41019,CVE-2022-41006,CVE-2022-41014,CVE-2022-40995,CVE-2022-41007,CVE-2022-40989,CVE-2022-40988,CVE-2022-40992,CVE-2022-41003,CVE-2022-41016,CVE-2022-41000,CVE-2022-41004,CVE-2022-41028,CVE-2022-40994,CVE-2022-41023

SUMMARY

Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router offers a customized router console by the DetranCLI binary. From this CLI interface, it is possible to use several functionalities. Many functionalities have a parsing pattern that is vulnerable to stack-based buffer overflow.

This pattern looks like: sprintf(stack_buffer, format_string, command_parameter_1, …). The problem is that, in many functions, the command_parameter_X’s size is not checked to take into account the size of stack_buffer, which can lead to stack-based buffer overflow.

The DetranCLI binary uses command template for each command. Following the relevant template special keyword:

  • WORD This is a parameter with any sequence of printable characters
  • CODE This parameter is similar to WORD
  • A.B.C.D This parameter represents an IP address
  • <min_value-max_value> This is a numerical parameter with a range of possible values, from min_value to max_value
  • (choice1|choice2…) This is a parameter with a set of possible values. The value can be another special keyword, like WORD or <min_value-max_value>

Each of the above special keyword is going to fill the char** array provided as second parameter on each command function. From this point this second argument parameter will be called argv. Each special keyword will be inserted in argv progressively. For example, for the command:

firmwall keyword WORD description (WORD|null)

This function will have as argv[0] a sequence of character, and as argv[1] either any sequence of characters or the string ‘null’.

Following is the list of vulnerable commands with its details.

CVE-2022-40985 - ddnsX hostname

This stack-based buffer overflow can be reached using the following command template:

(ddns1|ddns2) hostname WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","","","",argv[1],"0","","0","");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40986 - ddnsX mx

This stack-based buffer overflow can be reached using the following command template:

(ddns1|ddns2) mx WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","","","","","0",argv[1],"0","");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40987 - ddnsX username

This stack-based buffer overflow can be reached using the following command template:

(ddns1|ddns2) username WORD password CODE

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x200,"%s<%s:%s<%s<%s<%s<%s<%s","",argv[1],argv[2],"","0","","0","");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40988 - ipv6 static dns

This stack-based buffer overflow can be reached using the following command template:

ipv6 static dns WORD WORD WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_260,"%s %s %s",*argv,argv[1],argv[2]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40989 - bandwidth

This stack-based buffer overflow can be reached using the following command template:

bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%s<%s<%s<%s<%s<%d<0<0",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40990 - no bandwidth

This stack-based buffer overflow can be reached using the following command template:

no bandwidth WORD dlrate <1-9999> dlceil <1-9999> ulrate <1-9999> ulceil <1-9999> priority (highest|high|normal|low|lowest)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%s<%s<%s<%s<%s<%d<0<0",*argv,argv[1],argv[2],argv[3],argv[4],based_on_argv[5]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40991 - firmwall domain

This stack-based buffer overflow can be reached using the following command template:

firmwall domain WORD description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40992 - no firmwall domain

This stack-based buffer overflow can be reached using the following command template:

no firmwall domain WORD description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(stack_0x80,"%d<%s<%s",1,*argv,argv[1]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40993 - firmwall keyword

This stack-based buffer overflow can be reached using the following command template:

firmwall keyword WORD description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40994 - no firmwall keyword

This stack-based buffer overflow can be reached using the following command template:

no firmwall keyword WORD description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s",1,*argv,argv[1]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40995 - firmwall srcmac

This stack-based buffer overflow can be reached using the following command template:

firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%s<%s<%d<%s<%s<%d<%s>",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],iVar6,argv[7]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40996 - no firmwall srcmac

This stack-based buffer overflow can be reached using the following command template:

no firmwall srcmac (WORD|null) srcip (A.B.C.D|null) dstip (A.B.C.D|null) protocol (none|tcp|udp|icmp) srcport (<1-65535>|null) dstport (<1-65535>|null) policy (drop|accept) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%s<%s<%d<%s<%s<%d<%s",1,*argv,argv[1],argv[2],depentent_on_argv[3],argv[4],argv[5],depentent_on_argv[6],argv[7]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40997 - gre index

This stack-based buffer overflow can be reached using the following command template:

gre index <1-8> destination A.B.C.D/M description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s<%s>",1,*argv,argv[1],argv[2]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40998 - no gre index

This stack-based buffer overflow can be reached using the following command template:

no gre index <1-8> destination A.B.C.D/M description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s<%s",1,*argv,argv[1],argv[2]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-40999 - gre index with keepalive

This stack-based buffer overflow can be reached using the following command template:

gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s<%s<%s<%d<%s<%s<%s>",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41000 - no gre index with keepalive

This stack-based buffer overflow can be reached using the following command template:

no gre index <1-8> tunnel A.B.C.D source (A.B.C.D|null) dest A.B.C.D keepalive (on|off) interval (<0-255>|null) retry (<0-255>|null) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s<%s<%s<%d<%s<%s<%s",1,*argv,argv[1],argv[2],argv[3],dependent_on_argv[4],argv[5],argv[6],argv[7]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41001 - icmp check link

This stack-based buffer overflow can be reached using the following command template:

icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s<%d<%d<%s",1,*argv,argv[1],atoi_argv_2,atoi_argv[3],argv[4]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41002 - no icmp check link

This stack-based buffer overflow can be reached using the following command template:

no icmp check link WORD destination WORD interval <1-255> retries <1-255> description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%s<%s<%d<%d<%s",1,*argv,argv[1],atoi_argv[2],atoi_argv[3],argv[4]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41003 - ip nat outside source

This stack-based buffer overflow can be reached using the following command template:

ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%s",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41004 - no ip nat outside source

This stack-based buffer overflow can be reached using the following command template:

no ip nat outside source (udp|tcp|all) (WORD|null) WORD to A.B.C.D (WORD|null) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x40,"%d<%d<%s<%s<%s<%s<%s",1,based_on_argv[0],argv[1],argv[2],argv[4],argv[3],argv[5]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41005 - ip static route

This stack-based buffer overflow can be reached using the following command template:

ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%s<%s<%s<%s<%s<%s",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41006 - no ip static route

This stack-based buffer overflow can be reached using the following command template:

no ip static route destination A.B.C.D gateway A.B.C.D mask A.B.C.D metric <0-10> interface (lan|wan|vpn) description WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%s<%s<%s<%s<%s<%s",*argv,argv[1],argv[2],argv[3],argv[4],argv[5]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41007 - port redirect protocol

This stack-based buffer overflow can be reached using the following command template:

port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%d<%s<%s<%s<%s>",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41008 - no port redirect protocol

This stack-based buffer overflow can be reached using the following command template:

no port redirect protocol (tcp|udp|tcp/udp) inport <1-65535> dstaddr A.B.C.D export <1-65535> description WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%d<%s<%s<%s<%s",1,based_on_argv[0],atoi_argv[1],argv[2],atoi_argv[3],argv[4]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41009 - port triger protocol

This stack-based buffer overflow can be reached using the following command template:

port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%d<%s<%s<%s>",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41010 - no port triger protocol

This stack-based buffer overflow can be reached using the following command template:

no port triger protocol (tcp|udp|tcp/udp) triger port <1-65535> forward port <1-65535> description WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x80,"%d<%d<%s<%s<%s",1,based_on_argv[0],atoi_argv[1],atoi_argv[2],argv[3]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41011 - schedule link1

This stack-based buffer overflow can be reached using the following command template:

schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],dependent_on_argv[2],argv[3]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41012 - no schedule link1

This stack-based buffer overflow can be reached using the following command template:

no schedule link1 WORD link2 WORD policy (failover|backup) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],dependent_on_argv[2],argv[3]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41013 - static dhcp mac

This stack-based buffer overflow can be reached using the following command template:

static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)

If the command is issued correctly, the following code will be reached:

if (*argv[1] == '\x00'){
    format_string = "%s%s<%s<%s<%s";
}
else{
    format_string = "%s,%s<%s<%s<%s";
} 
sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]); 

CVE-2022-41014 - no static dhcp mac

This stack-based buffer overflow can be reached using the following command template:

no static dhcp mac WORD (WORD|null) ip A.B.C.D hostname (WORD|null) description (WORD|null)

If the command is issued correctly, the following code will be reached:

if (*argv[1] == '\x00'){
    format_string = "%s%s<%s<%s<%s";
}
else{
    format_string = "%s,%s<%s<%s<%s";
} 
sprintf(buff_0x40,format_string,*argv,argv[1],argv[2],argv[3],argv[4]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41015 - vpn basic protocol

This stack-based buffer overflow can be reached using the following command template:

vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],"");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41016 - no vpn basic protocol

This stack-based buffer overflow can be reached using the following command template:

no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],"");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41017 - vpn basic protocol with localip

This stack-based buffer overflow can be reached using the following command template:

vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41018 - no vpn basic protocol with localip

This stack-based buffer overflow can be reached using the following command template:

no vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%d<%s<%s<%s<%s<%d<%d<%s",1,based_on_argv[0],argv[1],argv[2],argv[3],argv[4],based_on_argv[5],based_on_argv[6],argv[7]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41019 - vpn l2tp advanced name

This stack-based buffer overflow can be reached using the following command template:

vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],"");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41020 - no vpn l2tp advanced name

This stack-based buffer overflow can be reached using the following command template:

no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],argv[5],"");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41021 - vpn l2tp advanced name with options

This stack-based buffer overflow can be reached using the following command template:

vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],"");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41022 - no vpn l2tp advanced name with options

This stack-based buffer overflow can be reached using the following command template:

no vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) options WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%s<%s",1,*argv,based_on_argv[1],atoi_argv[2],argv[3],based_on_argv[4],argv[5],"");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41023 - vpn pptp advanced name

This stack-based buffer overflow can be reached using the following command template:

vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],"");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41024 - no vpn pptp advanced name

This stack-based buffer overflow can be reached using the following command template:

no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],"");

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41025 - vpn pptp advanced name with options

This stack-based buffer overflow can be reached using the following command template:

vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41026 - no vpn pptp advanced name with options

This stack-based buffer overflow can be reached using the following command template:

no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%d<%s<%s<%d<%d<%s",1,*argv,based_on_argv[1],argv[2],argv[3],based_on_argv[4],based_on_argv[5],argv[6]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41027 - vpn schedule name1

This stack-based buffer overflow can be reached using the following command template:

vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],based_on_argv[2],argv[3]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41028 - no vpn schedule name1

This stack-based buffer overflow can be reached using the following command template:

no vpn schedule name1 WORD name2 WORD policy (failover|backup) description (WORD|null)

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x100,"%d<%s<%s<%d<%s",1,*argv,argv[1],based_on_argv[2],argv[3]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41029 - wlan filter mac address

This stack-based buffer overflow can be reached using the following command template:

wlan filter mac address WORD descript WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x20,"%s%s%s%s%s%s<%s",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);

The function executing this code is vulnerable to a stack-based buffer overflow.

CVE-2022-41030 - no wlan filter mac address

This stack-based buffer overflow can be reached using the following command template:

no wlan filter mac address WORD descript WORD

If the command is issued correctly, the following code will be reached:

sprintf(buff_0x20,"%s%s%s%s%s%s<%s",octet_from_argv0[0],octet_from_argv0[1],octet_from_argv0[2],octet_from_argv0[3],octet_from_argv0[4],octet_from_argv0[5],argv[1]);

The function executing this code is vulnerable to a stack-based buffer overflow.

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907