Nokia Single RAN Path Traversal Vulnerability in OAM Service via Crafted SOAP Message

A path traversal vulnerability has been identified in Nokia Single RAN baseband software versions prior to 24R1-SR 1.0 MP. This issue arises when a crafted SOAP 'provision' operation message, containing a compressed tarball in the archive field, is sent within the Mobile Network Operator's internal Radio Access Network management network. The base station OAM service in these vulnerable software versions can be tricked into extracting files from the archive, creating a potential security risk. This vulnerability is not exploitable from outside the operator's internal architecture, such as from user devices, roaming networks, or the Internet.

Impact

Exploitation of this vulnerability can lead to unauthorized file extraction on the base station OAM service, potentially allowing for further manipulation or access to sensitive information.

Reproduction

To reproduce this vulnerability, send a crafted SOAP 'provision' operation message from within the Mobile Network Operator's internal Radio Access Network management network. The message must include a compressed tarball in the archive field. In software versions prior to 24R1-SR 1.0 MP, this will cause the OAM service to extract files from the archive, exploiting the path traversal vulnerability.

Remediation

Users can upgrade to Nokia Single RAN release 24R1-SR 1.0 MP or later, where this vulnerability has been addressed by using libarchive APIs with security options enabled.