CVE-2022-41019

Name of the Vulnerable Software and Affected Versions Siretta QUARTZ-GOLD version G5.0.1.5-210720-141020

Description The issue concerns stack-based buffer overflow vulnerabilities in the DetranCLI command parsing functionality. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities. The buffer overflow is specifically in the function managing the vpn l2tp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> auth (on|off) password (WORD|null) command template, involving variables such as dns, mtu, mru, auth, and password.

Recommendations For Siretta QUARTZ-GOLD version G5.0.1.5-210720-141020, as a temporary workaround, consider restricting access to the DetranCLI command parsing functionality until a patch is available. Avoid using the vpn l2tp advanced command template with potentially malicious input for the dns, mtu, mru, auth, and password variables. At the moment, there is no information about a newer version that contains a fix for this vulnerability.