CVE-2023-25188
Unnecessary privileges on services of Nokia ASIKA
Public disclosure |
20-02-2023 |
---|---|
Last updated |
20-02-2023 |
Vulnerability type |
Execution with Unnecessary Privileges |
CVSS vector |
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H |
CVSS score |
5.1 |
Description
If/when CSP (as BTS administrator) removes security hardenings from Nokia Single RAN BTS baseband unit, BTS baseband unit diagnostic tool AaShell (which is by default disabled) allows unauthenticated access from mobile network solution internal BTS management network to BTS embedded Linux operating system level.
"A mobile network solution internal fault was found in Nokia Single RAN SW releases 19B, 20A, 20B, 20C and 21A. Exploit of this fault is not possible from outside of mobile network solution architecture. That is from user UEs or roaming networks or from Internet. Exploit is possible only from CSP mobile network solution internal BTS management network. To exploit the vulnerability, BTS administrator has to disable the recommended 'Security for Ethernet ports' (SOE) flag i.e. a security hardening feature from BTS. Only after this the AaShell diagnostic tool becomes active and communication service provider(CSP) staff can misuse the AaShell for gaining unauthenticated access to BTS internal processes running with high privileges in BTS embedded Linux OS.
From release 21B onwards, AaShell has been hardened to restrict access to the loopback address only so that one can access Aashell only after autheticating to BTS. Also process privileges have been tighten to required level."
Affected products and versions
Product |
Versions |
---|---|
Nokia ASIKA Airscale |
Nokia Single RAN SW releases 19B, 20A, 20B, 20C and 21A are affected |
Mitigation plan
Fix has been provided on top of SRAN 21B onwards.
Acknowledgements
- Lena David from Synacktiv
- Geoffrey Bertoli from Synacktiv
References
Change history : Initial version is published on 20-02-2023