Headline
CVE-2022-42493: TALOS-2022-1640 || Cisco Talos Intelligence Group
Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is reachable through the m2m’s DOWNLOAD_INFO command.
SUMMARY
Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.
CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
PRODUCT URLS
QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/
CVSSv3 SCORE
9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
DETAILS
The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.
Several commands use the m2m_parse_router_config function:
uint m2m_parse_router_config(char *data,uint data_len)
{
[...]
memset(nvram_command,0,0x800);
memset(param,0,0x400);
syslog(5,"----parse_router_config %d:%s----",data_len,data);
syslog(5,"----NVRAM Set Command Start----");
len_first_no_& = strspn(data,"&");
strncpy(param,data + len_first_no_&,0x400);
first_& = strcspn(param,"&" );
param[first_&] = '\0';
local_19 = 0;
pcVar1 = strchr(data + len_first_no_&,L'&');
while (param[0] != '\0') {
memset(nvram_command,0,0x800);
sprintf(nvram_command,"nvram set %s",param); [1]
syslog(5,"%s",nvram_command);
system(nvram_command); [2]
[...]
This function will parse data in the UDP packet received. The command expects a list that looks like: <nvram_key_1>=<nvram_value_1>&<nvram_key_2>=<nvram_value_2>… Then, for each key value pair, it will compose at [1] the nvram set <nvram_key>=<nvram_value>. The composed string will be used as argument for the system function at [2]. The problem is that from receiving the command packet to [2] the data is never sanitized. This allows any string to be used as argument of the system call. This can lead to an OS command injection.
Following is the list of the vulnerable commands that will call the m2m_parse_router_config function.
CVE-2022-42490 - DOWNLOAD_CFG_FILE command injection
Following is the portion of m2m binary that manages the DOWNLOAD_CFG_FILE command:
syslog(5,"M2M Command(%02x) DOWNLOAD_CFG_FILE!!!",0x16);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"DOWNLOAD_CFG_FILE %d:%s",
data_len),
&UDP_data_buff.data);
temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);
[...]
The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.
CVE-2022-42491 - M2M_CONFIG_SET command injection
Following is the portion of m2m binary that manages the M2M_CONFIG_SET command:
syslog(5,"M2M Command(%02x) M2M_CONFIG_SET!!!",6);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
data_len,
&UDP_data_buff.data);
global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);
[...]
The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.
CVE-2022-42492 - DOWNLOAD_AD command injection
Following is the portion of m2m binary that manages the DOWNLOAD_AD command:
syslog(5,"M2M Command(%02x) DOWNLOAD_AD!!!",0xe);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
data_len,
&UDP_data_buff.data);
if (DOWNLOAD_THREAD_STARTED == 0) {
global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);
[...]
The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.
CVE-2022-42493 - DOWNLOAD_INFO command injection
Following is the portion of m2m binary that manages the DOWNLOAD_INFO command:
syslog(5,"M2M Command(%02x) DOWNLOAD_INFO!!!",0xc);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
data_len,
&UDP_data_buff.data);
nvram_unset("type");
temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);
[...]
The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.
TIMELINE
2022-10-14 - Initial Vendor Contact
2022-10-20 - Vendor Disclosure
2022-11-24 - Vendor Patch Release
2023-01-26 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.
Related news
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and
Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and