CVE-2023-25186
Relative Path Traversal Vulnerability in Nokia ASIKA

If/when CSP (as BTS administrator) removes security hardenings from Nokia Single RAN BTS baseband unit, a directory path traversal in Nokia BTS baseband unit diagnostic tool AaShell (which is by default disabled) provides access to BTS baseband unit internal filesystem from mobile network solution internal BTS management network.

"A mobile network solution internal fault was found in Nokia Single RAN SW releases 19B, 20A, 20B, 20C and 21A. Exploit of this fault is not possible from outside of mobile network solution architecture which is from user UEs or roaming networks or from Internet. Exploit is possible only from CSP mobile network solution internal BTS management network. To exploit the vulnerability, BTS administrator has to disable the recommended 'Security for Ethernet ports' (SOE) flag i.e. a security hardening feature from BTS. Only after this the AaShell diagnostic tool becomes active and communication service provider(CSP) staff can misuse the AaShell for reading BTS internal file-system without AaShell requesting login authentication.

From release 21B onwards, AaShell has been hardened to restrict access to the loopback address only so that one can access Aashell only after autheticating to BTS, and also fixed path traversal issue."

Fix has been provided on top of SRAN 21B onwards.

• Lena David from Synacktiv
• Geoffrey Bertoli from Synacktiv