Headline

CVE-2022-42493: TALOS-2022-1640 || Cisco Talos Intelligence Group

Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m’s DOWNLOAD_INFO command.

1 year ago

CVE

Open in Source

#vulnerability #cisco #intel #ssh

SUMMARY

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Several commands use the m2m_parse_router_config function:

uint m2m_parse_router_config(char *data,uint data_len)

{
  [...]

  memset(nvram_command,0,0x800);
  memset(param,0,0x400);
  syslog(5,"----parse_router_config %d:%s----",data_len,data);
  syslog(5,"----NVRAM Set Command Start----");
  len_first_no_& = strspn(data,"&");
  strncpy(param,data + len_first_no_&,0x400);
  first_& = strcspn(param,"&" );
  param[first_&] = '\0';
  local_19 = 0;
  pcVar1 = strchr(data + len_first_no_&,L'&');
  while (param[0] != '\0') {
    memset(nvram_command,0,0x800);
    sprintf(nvram_command,"nvram set %s",param);                                                                [1]
    syslog(5,"%s",nvram_command);
    system(nvram_command);                                                                                      [2]
    [...]

This function will parse data in the UDP packet received. The command expects a list that looks like: <nvram_key_1>=<nvram_value_1>&<nvram_key_2>=<nvram_value_2>… Then, for each key value pair, it will compose at [1] the nvram set <nvram_key>=<nvram_value>. The composed string will be used as argument for the system function at [2]. The problem is that from receiving the command packet to [2] the data is never sanitized. This allows any string to be used as argument of the system call. This can lead to an OS command injection.

Following is the list of the vulnerable commands that will call the m2m_parse_router_config function.

CVE-2022-42490 - DOWNLOAD_CFG_FILE command injection

Following is the portion of m2m binary that manages the DOWNLOAD_CFG_FILE command:

syslog(5,"M2M Command(%02x) DOWNLOAD_CFG_FILE!!!",0x16);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"DOWNLOAD_CFG_FILE %d:%s",
        data_len),
        &UDP_data_buff.data);
temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);
[...]

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

CVE-2022-42491 - M2M_CONFIG_SET command injection

Following is the portion of m2m binary that manages the M2M_CONFIG_SET command:

syslog(5,"M2M Command(%02x) M2M_CONFIG_SET!!!",6);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
       data_len,
       &UDP_data_buff.data);
global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);
[...]

CVE-2022-42492 - DOWNLOAD_AD command injection

Following is the portion of m2m binary that manages the DOWNLOAD_AD command:

syslog(5,"M2M Command(%02x) DOWNLOAD_AD!!!",0xe);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
       data_len,
       &UDP_data_buff.data);
if (DOWNLOAD_THREAD_STARTED == 0) {
  global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);
[...]

CVE-2022-42493 - DOWNLOAD_INFO command injection

Following is the portion of m2m binary that manages the DOWNLOAD_INFO command:

syslog(5,"M2M Command(%02x) DOWNLOAD_INFO!!!",0xc);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
     data_len,
     &UDP_data_buff.data);
nvram_unset("type");
temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);
[...]

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

1 year ago

TALOS

Open in Source

#vulnerability #linux #cisco #rce #buffer_overflow #ssh

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

1 year ago

TALOS

Open in Source

#vulnerability #linux #cisco #rce #buffer_overflow #ssh