CVE-2023-25187
Hard-coded private key disclosure in Nokia ASIKA

"Nokia Single RAN commissioning procedures do not change (factory time installed) default SSH public/private key values for network operator specific. As a result, CSP internal BTS network SSH server(disabled by default) continues to apply the default SSH public/private key values. These keys don't give access to BTS, as service user authentication is username/password based on top of SSH.

Nokia factory installed default SSH keys are meant to be changed operator specific during BTS deployment commissioning phase. However, before 21B release, BTS commissioning manuals do not instruct to change default SSH keys(to BTS operator specific). This gives possibility for malicious operability staff inside CSP network, attempt MITM exploit for BTS service user access, during the moments SSH is enabled for Nokia service personnel for troubleshooring activities. From release 21B onwards BTS commissioning procedures change Nokia default SSH keys to operator specific."

A mobile network solution internal fault was found in Nokia Single RAN SW releases 19B, 20A, 20B, 20C and 21A. The fault does not exist (i.e., is fixed) release 21B onwards. Exploit of this Nokia BTS product fault (i.e. vulnerability) is not possible from outside of mobile network solution architecture. This means that exploit is not possible from mobile network user UEs, from roaming networks, or from Internet. Exploit is possible only from CSP mobile network solution internal BTS management network. To exploit the vulnerability, BTS administrator has to configurable enable SSH server in BTS baseband unit. The BTS SSH server is by default disabled and enabled only in deep level troubleshooting activities."

Fix has been provided on top of SRAN 21B onwards.

• Lena David from Synacktiv
• Geoffrey Bertoli from Synacktiv