Nokia Siemens FlexiISN GGSN Authentication Bypass

Type packetstorm
Reporter TaMBaRuS
Modified 2009-03-30T00:00:00


                                            `NOKIA Siemens FlexiISN GGSN Multiple Authentication bypass Vulnerability: NOKIA Siemens FlexiISN  
Remote: Yes   
Local: No   
Class: Input Validation Error   
Critical: Moderately critical   
OS : FlexiISN (GGSN) FISN 3.1  
URL 1 for bypassing authentication on AAA Configuration: http://[Flexi-ISN IP]/cgi-bin/aaa.tcl?  
URL 2 for bypassing authentication on Aggregation Class Configuration : http://[Flexi-ISN IP]/cgi-bin/aggr_config.tcl?  
URL 3 for bypassing authentication on GGSN general Configuration : http://[Flexi-ISN IP]/opt/cgi-bin/ggsn/cgi.tcl?page=ggsnconf  
URL 4 for bypassing authentication on Network Access & services : http://[Flexi-ISN IP]/opt/cgi-bin/services.tcl?instance=default  
Published: March 30, 2009  
Discovered by: TaMbaRuS (  
Greetz: Mr. Gabriel Waller from NSN for all his support for researching on the vulnerabilities.  
The Flexi ISN, which performs GPRS Gateway Service Node (GGSN) and data charging functionalities, is fully integrated with the existing Nokia Siemens Networks charge@once prepaid solution to enable flexible charging of data services. The systems integration services ensure seamless consumer experience, while managing an increasingly complex combination of new processes and systems.  
With the introduction of Flexi ISN, mobile telekom service provider is able to combine all in one box a GGSN and an Intelligent Charging Node. The deployed Flexi ISN 3.1 system is able, through deep packet inspection, to distinguish the type of traffic such as HTTP browsing, WAP browsing, MMS, streaming, content download thus enabling different charging models based on the type of data service used.`