github - ghsa-ggfg-pcqp-37x5

GHSA-GGFG-PCQP-37X5

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-08 21:30

Details

Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.

Severity ?

9.6 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-24508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "CRITICAL"
  },
  "details": "Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.",
  "id": "GHSA-ggfg-pcqp-37x5",
  "modified": "2023-02-08T21:30:18Z",
  "published": "2023-01-26T21:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24508"
    },
    {
      "type": "WEB",
      "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG"
    },
    {
      "type": "WEB",
      "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2023-24508 (GCVE-0-2023-24508)

Vulnerability from cvelistv5 – Published: 2023-01-24 22:32 – Updated: 2025-03-27 20:20

Summary

Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB and Nova 246 devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

Baicells

References

URL

Tags

	https://img.baicells.com//Upload/20230118/FILE/Ba…	patch
	https://img.baicells.com//Upload/20230118/FILE/Ba…	release-notes

Impacted products

Vendor

Product

Version

Baicells

Nova 227

Affected: 0 , ≤ 3.6.6 (patch)

	Baicells	Nova 233	Affected: 0 , ≤ 3.6.6 (patch)
	Baicells	Nova 246	Affected: 0 , ≤ 3.6.6 (patch)

Credits

Rustam Amin Baicells Security Team

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T10:56:04.184Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG"
          },
          {
            "tags": [
              "release-notes",
              "x_transferred"
            ],
            "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-24508",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T20:18:56.513606Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T20:20:04.220Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "3.6.6"
          ],
          "platforms": [
            "RTS",
            "RTD"
          ],
          "product": "Nova 227",
          "vendor": "Baicells",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.7.11.6",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.6.6",
              "status": "affected",
              "version": "0",
              "versionType": "patch"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "3.6.6"
          ],
          "platforms": [
            "RTS",
            "RTD"
          ],
          "product": "Nova 233",
          "vendor": "Baicells",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.7.11.6",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.6.6",
              "status": "affected",
              "version": "0",
              "versionType": "patch"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "modules": [
            "3.6.6"
          ],
          "platforms": [
            "RTS",
            "RTD"
          ],
          "product": "Nova 246",
          "vendor": "Baicells",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.7.11.6",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.6.6",
              "status": "affected",
              "version": "0",
              "versionType": "patch"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Nova eNB would need to be configured and running on 3.6.6 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Nova eNB would need to be configured and running on 3.6.6 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method.\u00a0\n\n"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Rustam Amin"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Baicells Security Team"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eBaicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB and Nova 246 devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.\u0026nbsp;\u003c/span\u003e\u003cbr\u003e\u003c/p\u003e"
            }
          ],
          "value": "Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB and Nova 246 devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.\u00a0\n\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-111",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-111 JSON Hijacking (aka JavaScript Hijacking)"
            }
          ]
        },
        {
          "capecId": "CAPEC-31",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-25T18:32:36.297Z",
        "orgId": "084566ad-deee-4e89-acff-6b7b1bf9d4b7",
        "shortName": "Baicells"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eBaicells recommends that all customers currently running an earlier version of RTS/RTD upgrade their products to the 3.7.11.6 firmware.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Baicells recommends that all customers currently running an earlier version of RTS/RTD upgrade their products to the 3.7.11.6 firmware.\n\n\n"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Remote Code Execution in Baicells RTS Platform",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "084566ad-deee-4e89-acff-6b7b1bf9d4b7",
    "assignerShortName": "Baicells",
    "cveId": "CVE-2023-24508",
    "datePublished": "2023-01-24T22:32:58.249Z",
    "dateReserved": "2023-01-24T19:44:01.622Z",
    "dateUpdated": "2025-03-27T20:20:04.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-GGFG-PCQP-37X5

CVE-2023-24508 (GCVE-0-2023-24508)

Tags

Sightings

Nomenclature