CVE-2022-41024

Name of the Vulnerable Software and Affected Versions Siretta QUARTZ-GOLD version G5.0.1.5-210720-141020

Description The issue concerns stack-based buffer overflow vulnerabilities in the DetranCLI command parsing functionality. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities. The buffer overflow is specifically in the function managing the no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) command template, involving variables such as dns, mtu, mru, mppe, and stateful.

Recommendations As a temporary workaround, consider disabling the command parsing functionality for the no vpn pptp advanced command until a patch is available. Restrict access to the DetranCLI to minimize the risk of exploitation. Avoid using the no vpn pptp advanced command with specially-crafted input until the issue is resolved.