CVE-2022-2070
published 2022-09-23CVE-2022-2070: In Grandstream GSD3710 in its 1.0.11.13 version, it's possible to overflow the stack since it doesn't check the param length before using the sscanf…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.30%
89.9th percentile
In Grandstream GSD3710 in its 1.0.11.13 version, it's possible to overflow the stack since it doesn't check the param length before using the sscanf instruction. Because of that, an attacker could create a socket and connect with a remote IP:port by opening a shell and getting full access to the system. The exploit affects daemons dbmng and logsrv that are running on ports 8000 and 8001 by default.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| grandstream | gds3710_firmware | — | — |
| grandstream | grandstream_gsd3710 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x01\x30\x8F\xE2\x13\xFF\x2F\xE1\x02\x20\x01\x21\x92\x1A\xC8\x27\x51\x37\x01\xDF\x04\x1C
- →Detect stack buffer overflow exploitation attempts against Grandstream GSD3710 by monitoring for oversized payloads (>144 bytes of padding) sent to TCP ports 8000 or 8001, prefixed with the auth command string 'LOG/1.0 END CMD:AUTH_USERNAME @'. ↗
- →Flag connections to TCP ports 8000/8001 on Grandstream GSD3710 devices that contain the byte sequence 0x43434343 (junk ROP filler) following the AUTH_USERNAME command prefix. ↗
- →Detect ARM Linux reverse shell shellcode on the wire: look for the thumb-mode switch sequence \x01\x30\x8F\xE2\x13\xFF\x2F\xE1 in TCP payloads directed at the device. ↗
- →Monitor for outbound TCP connections from Grandstream GSD3710 devices (reverse shell callback) immediately after inbound traffic on ports 8000/8001, indicating successful exploitation and shell execution via execve('/bin/sh'). ↗
- →The exploit uses mprotect ROP chain with libc_base 0x76ec1000 on the target; memory forensics or crash dumps showing ROP gadget addresses relative to this base indicate exploitation of CVE-2022-2070. ↗
- ·The default vulnerable ports (8000/8001) may be reconfigured by administrators; verify actual listening ports for dbmng and logsrv on the target device before relying on port-based detection. ↗
- ·The exploit script example uses port 8081 as the target port argument, which differs from the documented default ports 8000/8001; detection rules should cover all three ports. ↗
- ·The ROP gadget offsets are hardcoded against libc_base 0x76ec1000 for firmware 1.0.11.13; different firmware versions will have different libc base addresses, making these offsets version-specific. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-54xp-94gx-wj5g: In Grandstream GSD3710 in its 1
ghsa_unreviewed·2022-09-25
CVE-2022-2070 [CRITICAL] CWE-787 GHSA-54xp-94gx-wj5g: In Grandstream GSD3710 in its 1
In Grandstream GSD3710 in its 1.0.11.13 version, it's possible to overflow the stack since it doesn't check the param length before using the sscanf instruction. Because of that, an attacker could create a socket and connect with a remote IP:port by opening a shell and getting full access to the system. The exploit affects daemons dbmng and logsrv that are running on ports 8000 and 8001 by default.
Red Hat
kernel: ext4: init quota for 'old.inode' in 'ext4_rename'
vendor_redhat·2025-09-16·CVSS 5.5
CVE-2022-50346 [MEDIUM] kernel: ext4: init quota for 'old.inode' in 'ext4_rename'
kernel: ext4: init quota for 'old.inode' in 'ext4_rename'
In the Linux kernel, the following vulnerability has been resolved:
ext4: init quota for 'old.inode' in 'ext4_rename'
Syzbot found the following issue:
ext4_parse_param: s_want_extra_isize=128
ext4_inode_info_init: s_want_extra_isize=32
ext4_rename: old.inode=ffff88823869a2c8 old.dir=ffff888238699828 new.inode=ffff88823869d7e8 new.dir=ffff888238699828
__ext4_mark_inode_dirty: inode=ffff888238699828 ea_isize=32 want_ea_size=128
__ext4_mark_inode_dirty: inode=ffff88823869a2c8 ea_isize=32 want_ea_size=128
ext4_xattr_block_set: inode=ffff88823869a2c8
------------[ cut here ]------------
WARNING: CPU: 13 PID: 2234 at fs/ext4/xattr.c:2070 ext4_xattr_block_set.cold+0x22/0x980
Modules linked in:
RIP: 0010:ext4_xattr_block_set.cold+0x22/0x9
No detection rules found.
2022-09-23
Published