GSD-2023-24508

Vulnerability from gsd - Updated: 2023-12-13 01:20
Details
Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.
Aliases
Aliases
CVE-2023-24508
To clipboard 

{
  "GSD": {
    "alias": "CVE-2023-24508",
    "id": "GSD-2023-24508"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-24508"
      ],
      "details": "Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.",
      "id": "GSD-2023-24508",
      "modified": "2023-12-13T01:20:57.649722Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@baicells.com",
        "ID": "CVE-2023-24508",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Nova 227",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Nova 233",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "0"
                        }
                      ]
                    }
                  },
                  {
                    "product_name": "Nova 246",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Baicells"
            }
          ]
        }
      },
      "configuration": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Nova eNB would need to be configured and running on 3.6.6 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method.\u0026nbsp;\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "Nova eNB would need to be configured and running on 3.6.6 firmware and older along with being accessible on the internal network or public network. If the Web interface is enabled it will allow users to exploit using the above method.\u00a0\n\n"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Rustam Amin"
        },
        {
          "lang": "en",
          "value": "Baicells Security Team"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:L",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG",
            "refsource": "MISC",
            "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG"
          },
          {
            "name": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf",
            "refsource": "MISC",
            "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf"
          }
        ]
      },
      "solution": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eBaicells recommends that all customers currently running an earlier version of RTS/RTD upgrade their products to the 3.7.11.6 firmware.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "Baicells recommends that all customers currently running an earlier version of RTS/RTD upgrade their products to the 3.7.11.6 firmware.\n\n\n"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:o:baicells:rtd_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "3.7.11.6",
                    "vulnerable": true
                  },
                  {
                    "cpe23Uri": "cpe:2.3:o:baicells:rts_firmware:*:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "versionEndExcluding": "3.7.11.6",
                    "vulnerable": true
                  }
                ],
                "operator": "OR"
              },
              {
                "children": [],
                "cpe_match": [
                  {
                    "cpe23Uri": "cpe:2.3:h:baicells:nova227:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:baicells:nova233:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:baicells:nova243:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  },
                  {
                    "cpe23Uri": "cpe:2.3:h:baicells:nova246:-:*:*:*:*:*:*:*",
                    "cpe_name": [],
                    "vulnerable": false
                  }
                ],
                "operator": "OR"
              }
            ],
            "cpe_match": [],
            "operator": "AND"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@baicells.com",
          "ID": "CVE-2023-24508"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6.IMG.IMG"
            },
            {
              "name": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://img.baicells.com//Upload/20230118/FILE/BaiBS_RTS_3.7.11.6_Changelog.PDF.pdf"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 6.0
        }
      },
      "lastModifiedDate": "2023-02-08T21:29Z",
      "publishedDate": "2023-01-26T21:18Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.