Talos Vulnerability Report

SUMMARY

Several OS command injection vulnerabilities exist in the m2m binary of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Several commands use the m2m_parse_router_config function:

uint m2m_parse_router_config(char *data,uint data_len)

{
  [...]

  memset(nvram_command,0,0x800);
  memset(param,0,0x400);
  syslog(5,"----parse_router_config %d:%s----",data_len,data);
  syslog(5,"----NVRAM Set Command Start----");
  len_first_no_& = strspn(data,"&");
  strncpy(param,data + len_first_no_&,0x400);
  first_& = strcspn(param,"&" );
  param[first_&] = '\0';
  local_19 = 0;
  pcVar1 = strchr(data + len_first_no_&,L'&');
  while (param[0] != '\0') {
    memset(nvram_command,0,0x800);
    sprintf(nvram_command,"nvram set %s",param);                                                                [1]
    syslog(5,"%s",nvram_command);
    system(nvram_command);                                                                                      [2]
    [...]

This function will parse data in the UDP packet received. The command expects a list that looks like: <nvram_key_1>=<nvram_value_1>&<nvram_key_2>=<nvram_value_2>..... Then, for each key value pair, it will compose at [1] the nvram set <nvram_key>=<nvram_value>. The composed string will be used as argument for the system function at [2]. The problem is that from receiving the command packet to [2] the data is never sanitized. This allows any string to be used as argument of the system call. This can lead to an OS command injection.

Following is the list of the vulnerable commands that will call the m2m_parse_router_config function.

CVE-2022-42490 - DOWNLOAD_CFG_FILE command injection

Following is the portion of m2m binary that manages the DOWNLOAD_CFG_FILE command:

syslog(5,"M2M Command(%02x) DOWNLOAD_CFG_FILE!!!",0x16);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"DOWNLOAD_CFG_FILE %d:%s",
        data_len),
        &UDP_data_buff.data);
temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);
[...] 

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

CVE-2022-42491 - M2M_CONFIG_SET command injection

Following is the portion of m2m binary that manages the M2M_CONFIG_SET command:

syslog(5,"M2M Command(%02x) M2M_CONFIG_SET!!!",6);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
       data_len,
       &UDP_data_buff.data);
global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);
[...]

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

CVE-2022-42492 - DOWNLOAD_AD command injection

Following is the portion of m2m binary that manages the DOWNLOAD_AD command:

syslog(5,"M2M Command(%02x) DOWNLOAD_AD!!!",0xe);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
       data_len,
       &UDP_data_buff.data);
if (DOWNLOAD_THREAD_STARTED == 0) {
  global_UDP_packet = m2m_parse_router_config(&UDP_data_buff.data,data_len);
[...]

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

CVE-2022-42493 - DOWNLOAD_INFO command injection

Following is the portion of m2m binary that manages the DOWNLOAD_INFO command:

syslog(5,"M2M Command(%02x) DOWNLOAD_INFO!!!",0xc);
[...]
data_len = __bswap_16(UDP_data_buff.data_len;
syslog(5,"M2M_CONIFG_SET %d:%s",
     data_len,
     &UDP_data_buff.data);
nvram_unset("type");
temp = m2m_parse_router_config(&UDP_data_buff.data, data_len);
[...]

The command will call the m2m_parse_router_config function with the provided UDP_data_buff.data, which is an array of characters, and UDP_data_buff.data_len, its length. This will lead to a command injection vulnerability.

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release