Nokia Single RAN Information Disclosure Vulnerability via Internal RAN Management Network
Vulnerability
An information disclosure vulnerability has been identified in Nokia Single RAN baseband software prior to 23R2-SR 1.0 MP. This vulnerability allows the exact software release version to be revealed by sending a specific HTTP POST request through the Mobile Network Operator (MNO) internal RAN management network. The issue is not exploitable from outside the MNO internal architecture, such as from mobile network user devices, roaming networks, or the Internet. While no practical exploit has been detected, the disclosed version information could potentially be used to fingerprint targeted devices, leading to more focused attack attempts.
Impact
Exploitation of this vulnerability could allow unauthorized individuals to access sensitive information about the software version running on Nokia Single RAN baseband devices, potentially leading to targeted attacks based on that information.
Remediation
Users can upgrade to Nokia Single RAN baseband software version 23R2-SR 1.0 MP or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.