Skip to main content

CVE-2023-25188
Unnecessary privileges on services of Nokia ASIKA

Public disclosure

20-02-2023

Last updated

20-02-2023

Vulnerability type

Execution with Unnecessary Privileges

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H

CVSS score

5.1

Description

If/when CSP (as BTS administrator) removes security hardenings from Nokia Single RAN BTS baseband unit, BTS baseband unit diagnostic tool AaShell (which is by default disabled) allows unauthenticated access from mobile network solution internal BTS management network to BTS embedded Linux operating system level.

"A mobile network solution internal fault was found in Nokia Single RAN SW releases 19B, 20A, 20B, 20C and 21A. Exploit of this fault is not possible from outside of mobile network solution architecture. That is from user UEs or roaming networks or from Internet. Exploit is possible only from CSP mobile network solution internal BTS management network. To exploit the vulnerability, BTS administrator has to disable the recommended 'Security for Ethernet ports' (SOE) flag i.e. a security hardening feature from BTS. Only after this the AaShell diagnostic tool becomes active and communication service provider(CSP) staff can misuse the AaShell for gaining unauthenticated access to BTS internal processes running with high privileges in BTS embedded Linux OS.

From release 21B onwards, AaShell has been hardened to restrict access to the loopback address only so that one can access Aashell only after autheticating to BTS. Also process privileges have been tighten to required level."

Affected products and versions

Product

Versions

Nokia ASIKA Airscale

Nokia Single RAN SW releases 19B, 20A, 20B, 20C and 21A are affected

Mitigation plan

Fix has been provided on top of SRAN 21B onwards.

Acknowledgements

  • Lena David from Synacktiv
  • Geoffrey Bertoli from Synacktiv

References

Change history : Initial version is published on 20-02-2023