Pierluigi Paganini
March 18, 2022
TIM Red Team Research (RTR) team discovered a new vulnerability affecting Ericsson Network Manager, which is known as Ericsson flagship network product.
Ericsson Network Manager and network OSS
As mentioned, we’re talking about an Ericsson flagship network product, it enables mobile radio network management, and their related evolutions, ensuring the conventional out-of-the-box, as well as all cloud-based technologies evenly (ready to manage the transition from 4G to 5G and continuously updated to be ready for the next technological innovation).
In fact, Ericsson Network Manager is an Operations support system (‘OSS’ according to network jargon), which allows the management of all the devices interconnected to it, ensuring the management of configurations, firmware updates and all automation and maintenance operations of an advanced mobile radio network.
It also allows the management of advanced virtual network functions (VNFM), combined with automatic analysis and scaling capabilities based on criteria that interact with various standard distributions.
The system is therefore scalable and provides high capacity through an implementation that allows the consolidation of existing OSS sites to grow or manage greater complexity.
Research Activity
The vulnerabilities have been isolated in TIM laboratory, where the bug hunters Alessandro Bosco, Mohamed Amine Ouad led by Massimiliano Brolli who’sin charge of the project, as reported on the project website, started the Coordinated Vulnerability Disclosure (CVD) with Ericsson.
According to TIM website, the CVE-2021-28488 has been issued, which focuses on the CWE Exposure of Resource to Wrong Sphere. MITRE describes the security issues encountered, as described down below:
Ericsson Network Manager (ENM) before 21.2 has incorrect access-control behavior (that only affects the level of access available to persons who were already granted a highly privileged role). Users in the same AMOS authorization group can retrieve managed-network that was not set to be accessible to the entire group (i.e., was only set to be accessible to a subset of that group).
TIM Red Team Research
We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.
In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.
Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”. It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, contributing to the security of the products used by many organizations and several individuals
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Ericsson Network Manager)
[adrotate banner=”5″]
[adrotate banner=”13″]
