CVE-2025-24331
Nokia Single RAN baseband OAM service extensive capabilities
Public disclosure |
02-07-2025 |
|---|---|
Last updated |
02-07-2025 |
Vulnerability type |
Elevated capabilities |
CVSS vector |
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
CVSS score |
6.4 |
Description
The Single RAN baseband OAM service is intended to run as an unprivileged service. However, it initially starts with root privileges and assigns certain capabilities before dropping to an unprivileged level. The capabilities retained from the root period are considered extensive after the privilege drop and, in theory, could potentially allow actions beyond the intended scope of the OAM service. These actions could include gaining root privileges, accessing root-owned files, modifying them as the file owner, and then returning them to root ownership.
This vulnerability is not exploitable from outside the Mobile Network Operator (MNO) internal architecture, such as from mobile network user devices (UEs), roaming networks, or the Internet. Beginning with release 24R1-SR 0.2 MP, the OAM service software capabilities are restricted to the minimum necessary.
No practical exploit has been detected for this extensive capabilities issue in the OAM service. However, in theory, it could potentially have unknown misuse scenarios from within the MNO internal Radio Access Network (RAN) management network by an authenticated Single RAN base station administrative user, in software versions earlier than release 24R1-SR 0.2 MP.
Affected products and versions
Product |
Versions |
|---|---|
Nokia Single RAN |
All the releases prior to 24R1-SR 0.2 MP |
Mitigation plan
The fix has been included starting from 24R1-SR 0.2 MP.
Acknowledgements
- Guillaume Teissier (P1 Security France)
- Laurent Ghigonis (P1 Security France)
- Radu Balaci (Bell Mobility Canada)
- Meghna Patel (Bell Mobility Canada)
References
Change history : Initial version is published on 02-07-2025