CVE-2022-41017

Name of the Vulnerable Software and Affected Versions Siretta QUARTZ-GOLD version 5.0.1.5-210720-141020

Description The issue concerns stack-based buffer overflow vulnerabilities in the DetranCLI command parsing functionality. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities, which are located in the function managing the vpn basic protocol (l2tp|pptp) name WORD server WORD username WORD passsword WORD firmwall (on|off) defroute (on|off) localip A.B.C.D command template.

Recommendations For version 5.0.1.5-210720-141020, consider disabling the DetranCLI command parsing functionality until a patch is available to prevent arbitrary command execution. Restrict access to the vpn basic protocol command template to minimize the risk of exploitation. Avoid using the vpn basic protocol command with specially-crafted network packets until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.