Nokia Airscale ASIKA Single RAN 安全漏洞(CVE-2023-25187)

admin

0
文章

0
评论

2023-11-29 23:02:43 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

Nokia Airscale ASIKA Single RAN 安全漏洞(CVE-2023-25187)

CVE编号

CVE-2023-25187

利用情况

暂无

补丁情况

N/A

披露时间

2023-06-17

漏洞描述

An issue was discovered on NOKIA Airscale ASIKA Single RAN devices before 21B. Nokia Single RAN commissioning procedures do not change (factory-time installed) default SSH public/private key values that are specific to a network operator. As a result, the CSP internal BTS network SSH server (disabled by default) continues to apply the default SSH public/private key values. These keys don't give access to BTS, because service user authentication is username/password-based on top of SSH. Nokia factory installed default SSH keys are meant to be changed from operator-specific values during the BTS deployment commissioning phase. However, before the 21B release, BTS commissioning manuals did not provide instructions to change default SSH keys (to BTS operator-specific values). This leads to a possibility for malicious operations staff (inside a CSP network) to attempt MITM exploitation of BTS service user access, during the moments that SSH is enabled for Nokia service personnel to perform troubleshooting activities.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://packetstormsecurity.com/files/173055/Nokia-ASIKA-7.13.52-Private-Key-D...
https://Nokia.com
https://www.nokia.com/about-us/security-and-privacy/product-security-advisory...

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	系统	nokia	asika_airscale_firmware	19b	-
	运行在以下环境
	系统	nokia	asika_airscale_firmware	20a	-
	运行在以下环境
	系统	nokia	asika_airscale_firmware	20b	-
	运行在以下环境
	系统	nokia	asika_airscale_firmware	20c	-
	运行在以下环境
	系统	nokia	asika_airscale_firmware	21a	-
	运行在以下环境
	硬件	nokia	asika_airscale	-	-