Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41154: TALOS-2022-1637 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary file deletion. An attacker can send a network request to trigger this vulnerability.

CVE
#vulnerability#cisco#intel#ssh

SUMMARY

A directory traversal vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary file deletion. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

8.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many other

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Following the portion of m2m binary that manages the DELETE_FILE command:

[...]
cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;
if (cmdid_provided == 0x15) {
  syslog(5,"M2M Command(%02x) DELETE_FILE!!!",0x15);
  m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;
  m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;
  [... set base_folder variable ...]
  base_folder_length = strlen(base_folder);
  for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);
      current_entry_off = current_entry_off + __bswap_16(previous_data_len)){
    current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));
    if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||
        (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||
        (command_string = calloc(current_data_len + base_folder_length + 0xc,1),
        command_string == 0x0)) {                                                                               [1]
      [... invalid state ...]
    }
    sprintf(command_string,"rm -rf %s/%s &",base_folder,&UDP_data_buff.entries[0].data + current_entry_off
           );                                                                                                   [2]
    syslog(6,"Deleting file :%s",command_string + 7);
    system(command_string);
    free(command_string);
    previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off);                               [3]
    [...]

Following, we will briefly explain the packet composition for this command:

struct M2M_data_entry{
        uint16_t fix_word;
        uint16_t data_len;
        char data[];
};

struct M2M_packet{
        uint16_t packet_len;
        uint16_t cmd_id;
        uint32_t pkd_id;
        uint16_t version;
        M2M_data_entry entries[];
};

The UDP packet received, which can contain at most 0x251c bytes, is cast to an M2M_packet. This is a variable length structure. Indeed, inside of it there is an array of M2M_data_entry structure that is a variable length struct. To seek the various entries, the variable current_entry_off is used. It starts with value 0 and then, at [3], the value M2M_data_entry.data_len of the just-parsed entry is added to seek, in the next loop, the next entry.

The DELETE_FILE command will execute the command rm -rf <base_folder>/<M2M_data_entry.data> & for each entry in the UDP M2M_packet packet it received.

At [2] the rm -rf <base_folder>/<M2M_data_entry.data> & string is composed and executed. At [1] some checks are performed, but none about the content of the M2M_data_entry.data. Because any value of M2M_data_entry.data is allowed, this function is vulnerable to a directory path traversal vulnerability. This leads to arbitrary file deletion.

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907