CVE-2025-24329
OAM service path traversal issue caused by a crafted SOAP message archive field within the RAN management network
Public disclosure |
02-07-2025 |
|---|---|
Last updated |
02-07-2025 |
Vulnerability type |
Path Traversal |
CVSS vector |
CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVSS score |
6.4 |
Description
Sending a crafted SOAP "provision" operation message archive field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause path traversal issue in Nokia Single RAN baseband software with versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later.
The OAM service path traversal issue can only be caused from within the MNO internal Radio Access Network (RAN) management network. This can occur by sending in RAN management network a crafted SOAP "provision" operation that includes a compressed tarball in the archive field. This action can cause the base station OAM service to extract files from the archive in software versions earlier than release 24R1-SR 1.0 MP.
This vulnerability is not exploitable from outside the Mobile Network Operator (MNO) internal architecture, such as from mobile network user devices (UEs), roaming networks, or the Internet. Beginning with release 24R1-SR 1.0 MP, the OAM service software utilizes libarchive APIs with security options enabled, effectively mitigating the reported path traversal issue.
Affected products and versions
Product |
Versions |
|---|---|
Nokia Single RAN |
All releases prior to 24R1-SR 1.0 MP |
Mitigation plan
The fix has been included starting from 24R1-SR 1.0 MP.
Acknowledgements
- Guillaume Teissier (P1 Security France)
- Laurent Ghigonis (P1 Security France)
- Radu Balaci (Bell Mobility Canada)
- Meghna Patel (Bell Mobility Canada)
References
Change history : Initial version is published on 02-07-2025