Guillaume Teissier

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP Description: The issue is related to a SOAP message input validation flaw, which could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service. No practical exploit has been detected for this flaw. The problem has been corrected starting from release 24R1-SR 2.1 MP by adding sufficient input validation for received SOAP requests. Recommendations: For versions earlier than 24R1-SR 2.1 MP, update to release 24R1-SR 2.1 MP or later to mitigate the issue by adding sufficient input validation for received SOAP requests.

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN baseband OAM service component versions prior to 24R1-SR 1.0 MP Description: The issue occurs when a crafted SOAP "set" operation message is sent within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network, causing the Nokia Single RAN baseband OAM service component to restart. The OAM service component restarts automatically after the stack overflow without causing a base station restart or network service degradation, and without leaving any permanent impact on the Nokia Single RAN baseband OAM service. Recommendations: For versions prior to 24R1-SR 1.0 MP, update to release 24R1-SR 1.0 MP or later to resolve the issue. As a temporary workaround, consider restricting access to the SOAP "set" operation message within the MNO internal RAN management network to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN baseband software versions prior to 24R1-SR 1.0 MP Description: The issue arises when a crafted SOAP "provision" operation message archive field is sent within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network, causing a path traversal issue. This has been mitigated in release 24R1-SR 1.0 MP and later by utilizing libarchive APIs with security options enabled. Recommendations: For versions prior to 24R1-SR 1.0 MP, update to release 24R1-SR 1.0 MP or later to resolve the issue. As a temporary workaround, consider restricting access to the SOAP "provision" operation message archive field within the MNO internal RAN management network until a patch is available.

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN baseband software versions prior to 24R1-SR 1.0 MP Description: The issue arises when a crafted SOAP "provision" operation message is sent with a malicious `PlanId` field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network, causing a path traversal issue. This has been mitigated in release 24R1-SR 1.0 MP and later by performing `PlanId` field input validations in the OAM service software. Recommendations: For versions prior to 24R1-SR 1.0 MP, update to release 24R1-SR 1.0 MP or later to resolve the issue. As a temporary workaround, consider restricting access to the SOAP "provision" operation message endpoint to minimize the risk of exploitation. Avoid using the `PlanId` field in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Single RAN baseband OAM service versions prior to 24R1-SR 0.2 MP Description: The Single RAN baseband OAM service is intended to run as an unprivileged service but initially starts with root privileges and assigns certain capabilities before dropping to an unprivileged level. The capabilities retained from the root period are considered extensive and could potentially allow actions beyond the intended scope of the OAM service, including gaining root privileges, accessing root-owned files, modifying them, and then returning them to root ownership. Recommendations: For versions prior to 24R1-SR 0.2 MP, update to release 24R1-SR 0.2 MP or later to restrict the OAM service software capabilities to the minimum necessary.

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN AirScale baseband versions prior to 23R4-SR 3.0 MP Description: The issue allows an authenticated administrative user to access all physical boards after a single login to the baseband system board, without re-authentication when connecting to baseband capacity boards using the internal bsoc SSH service. This service is available internally within the baseband and through the internal backplane between the boards, using an SSH private key present on the baseband system board. The bsoc SSH capability was previously considered an administrative functionality but has been restricted to be available only to baseband root-privileged administrators to mitigate the possibility of misuse with lower-level privileges. Recommendations: For versions prior to 23R4-SR 3.0 MP, update to release 23R4-SR 3.0 MP or later to restrict the bsoc SSH capability to baseband root-privileged administrators and mitigate the issue.

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN baseband software versions prior to 24R1-SR 1.0 MP Description: The issue is related to an administrative shell input validation fault in the Nokia Single RAN baseband software. An authenticated admin user can potentially inject arbitrary commands for unprivileged baseband OAM service process execution by adding special characters to the baseband internal COMA config.xml file. The problem has been corrected in release 24R1-SR 1.0 MP and later by adding proper input validation to the OAM service process. Recommendations: For versions prior to 24R1-SR 1.0 MP, update to release 24R1-SR 1.0 MP or later to resolve the issue. As a temporary workaround, consider restricting access to the baseband internal COMA config.xml file to prevent potential command injection.

Name of the Vulnerable Software and Affected Versions: Nokia Single RAN baseband software versions prior to 23R2-SR 1.0 MP Description: The issue allows an attacker to reveal the exact software release version by sending a specific HTTP POST request through the Mobile Network Operator (MNO) internal RAN management network. Recommendations: For versions prior to 23R2-SR 1.0 MP, update to version 23R2-SR 1.0 MP or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** A use-after-free issue exists in the Linux kernel's ksmbd module, specifically in the `fs/ksmbd/smb2pdu.c` file, related to the `SMB2 TREE DISCONNECT` command. This issue can be exploited by a remote attacker to execute arbitrary code on vulnerable Linux kernel versions. The ksmbd server, which implements the SMB3 protocol in the kernel for network file sharing, is affected when it handles `SMB2 TREE DISCONNECT` commands without properly checking the existence of an object before performing operations on it. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider disabling the ksmbd server until a patch is available. Restrict access to the `SMB2 TREE DISCONNECT` command to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** The issue is related to a heap-based buffer overflow in the Linux kernel's ksmbd subsystem, specifically in the set ntacl dacl function. This overflow is connected to the use of `SMB2 QUERY INFO HE` after a malformed `SMB2 SET INFO HE` command. The exploitation of this issue could allow a remote attacker to execute arbitrary code. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `set ntacl dacl` function and the `SMB2 QUERY INFO HE` and `SMB2 SET INFO HE` commands until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** The issue is related to the `smb2 write` function in the `ksmbd` module of the Linux kernel, which is vulnerable to an out-of-bounds read in memory. This can allow a remote attacker to disclose protected information or cause a denial of service. The vulnerability occurs when there is a large length in the zero `DataOffset` case for `SMB2 WRITE`. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `ksmbd` module or disabling the `smb2 write` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** An issue was discovered in ksmbd in the Linux kernel, related to a memory leak due to the omission of a `kfree` call in certain `smb2 handle negotiate` error conditions. This can be exploited by a remote attacker to cause a denial-of-service when handling SMB2 NEGOTIATE requests. The vulnerable code is located in `fs/ksmbd/smb2pdu.c`. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `smb2 handle negotiate` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions 5.15 through 5.19 before 5.19.2 **Description** The issue is related to an out-of-bounds read in the Linux kernel's ksmbd subsystem, specifically in the fs/ksmbd/smb2misc.c file. This occurs when handling the SMB2 TREE CONNECT operation. Exploitation of this issue can allow a remote attacker to cause a denial of service. **Recommendations** For Linux kernel versions 5.15 through 5.19 before 5.19.2, update to version 5.19.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the SMB2 TREE CONNECT operation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache XML-RPC (affected versions not specified) **Description** The issue is related to an untrusted deserialization error in the `org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult` method of the Apache XML-RPC library. This error is associated with the deserialization of server-side exceptions serialized in the `faultCause` attribute of XML-RPC error response messages. Exploitation of this issue could allow a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. A malicious XML-RPC server could target an XML-RPC client, causing it to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

The ifmap service that comes bundled with Contrail has an XML External Entity (XXE) vulnerability that may allow an attacker to retrieve sensitive system files. Affected releases are Juniper Networks Contrail 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).

The ifmap service that comes bundled with Juniper Networks Contrail releases uses hard coded credentials. Affected releases are Contrail releases 2.2 prior to 2.21.4; 3.0 prior to 3.0.3.4; 3.1 prior to 3.1.4.0; 3.2 prior to 3.2.5.0. CVE-2017-10616 and CVE-2017-10617 can be chained together and have a combined CVSSv3 score of 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).