- Description
- Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB and Nova 246 devices with firmware through RTS/RTD 3.6.6 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.
- Source
- security@baicells.com
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 9.6
- Impact score
- 6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:baicells:rtd_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "148B43F9-03E6-43FC-9631-94EAFB4497FB",
"versionEndExcluding": "3.7.11.6"
},
{
"criteria": "cpe:2.3:o:baicells:rts_firmware:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FB305C49-EC84-4C16-B961-1DAA3BC6B108",
"versionEndExcluding": "3.7.11.6"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:h:baicells:nova227:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "2FF244C0-5EC5-41ED-8474-23097129A903"
},
{
"criteria": "cpe:2.3:h:baicells:nova233:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "E9943901-505F-495E-8B83-B6D50E2ECD26"
},
{
"criteria": "cpe:2.3:h:baicells:nova243:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "B3A7D0D1-2ADE-4EB6-B2C4-060528D60598"
},
{
"criteria": "cpe:2.3:h:baicells:nova246:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "D4D28C47-73C1-465F-AE37-8281589DED94"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
]