Red TIM Research (RTR) team discovers a bug on Ericsson Network Manager

TIM Red Team Research (RTR) researchers discovered a new flaw on Ericsson Network Manager, aka Ericsson flagship network product.

TIM Red Team Research (RTR) team discovered a new vulnerability affecting Ericsson Network Manager, which is known as Ericsson flagship network product.

Ericsson Network Manager and network OSS

As mentioned, we’re talking about an Ericsson flagship network product, it enables mobile radio network management, and their related evolutions, ensuring the conventional out-of-the-box, as well as all cloud-based technologies evenly (ready to manage the transition from 4G to 5G and continuously updated to be ready for the next technological innovation).

In fact, Ericsson Network Manager is an Operations support system (‘OSS’ according to network jargon), which allows the management of all the devices interconnected to it, ensuring the management of configurations, firmware updates and all automation and maintenance operations of an advanced mobile radio network.

It also allows the management of advanced virtual network functions (VNFM), combined with automatic analysis and scaling capabilities based on criteria that interact with various standard distributions.

The system is therefore scalable and provides high capacity through an implementation that allows the consolidation of existing OSS sites to grow or manage greater complexity.

Research Activity

The vulnerabilities have been isolated in TIM laboratory, where the bug hunters Alessandro Bosco, Mohamed Amine Ouad led by Massimiliano Brolli who’sin charge of the project, as reported on the project website, started the Coordinated Vulnerability Disclosure (CVD) with Ericsson.

According to TIM website, the CVE-2021-28488 has been issued, which focuses on the CWE Exposure of Resource to Wrong Sphere. MITRE describes the security issues encountered, as described down below:

Ericsson Network Manager (ENM) before 21.2 has incorrect access-control behavior (that only affects the level of access available to persons who were already granted a highly privileged role). Users in the same AMOS authorization group can retrieve managed-network that was not set to be accessible to the entire group (i.e., was only set to be accessible to a subset of that group).

Vulnerability Description: Exposure of Resource to Wrong Sphere – CWE-668
Software Version: < 21.2
NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-28488
CVSv3: 6.5
Severity: Medium

TIM Red Team Research

We are talking about one of the few Italian centers of industrial research about security bugs, where since few years are performed “bug hunting” activities that aim to search for undocumented vulnerabilities, leading to a subsequent issuance of a Common Vulnerabilities and Exposures (CVE) on the National Vulnerability Database of the United States of America, once the Coordinated Vulnerability Disclosure (CVD) with the Vendor is over.

In two years of activity, the team has detected many 0-days on very popular products of big vendors, such as Oracle, IBM, Ericsson, Nokia, Computer Associates, Siemens, QNAP, Johnson & Control, Schneider Electric, as well as other vendors on different types of software architectures.

Speaking about a vulnerability detected on Johnson & Control’s Metasys Reporting Engine (MRE) Web Services Product, Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America issued a specific Security Bulletin reporting as Background the following sectors: “CRITICAL INFRASTRUCTURE SECTORS, COUNTRIES/ AREAS USED and COMPANY HEADQUARTERS”. It is an all-Italian reality that issues a CVE every 6 working days, internationally contributing to the research for undocumented vulnerabilities, contributing to the security of the products used by many organizations and several individuals

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Ericsson Network Manager)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.