CVE-2023-25185
Privilege escalation in multiple services of Nokia ASIKA
Public disclosure |
20-02-2023 |
|---|---|
Last updated |
20-02-2023 |
Vulnerability type |
Improper Privilege Management |
CVSS vector |
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L |
CVSS score |
3.8 |
Description
A mobile network solution internal fault was found in Nokia Single RAN software releases that certain software processes in BTS internal software design have unnecessary high privileges to BTS embedded operating system (OS) resources. Nokia has lowered the privileges of these processes in Single RAN SW release 21B onwards, as BTS internal security hardening act.
Affected products and versions
Product |
Versions |
|---|---|
Nokia ASIKA Airscale |
Nokia Single RAN SW releases 19B, 20A, 20B, 20C and 21A are affected |
Mitigation plan
Fix has been provided on top of SRAN 21B onwards.
Acknowledgements
- Lena David from Synacktiv
- Geoffrey Bertoli from Synacktiv
References
Change history : Initial version is published on 20-02-2023