CVE-2023-0776

Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.

CVSS v3.0 10.0 CRITICAL

10.0^/10

CVSS v3.0 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://baicells.com/Service/Firmware	Patch Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:baicells:neutrino_430_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:baicells:neutrino_430:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:baicells:nova430l_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:baicells:nova430l:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:baicells:nova430e_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:baicells:nova430e:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:baicells:nova436q_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:baicells:nova436q:-:*:*:*:*:*:*:*

Information

Published : 2023-02-10 17:23

Updated : 2023-02-13 13:00

NVD link : CVE-2023-0776

Mitre link : CVE-2023-0776

JSON object : View

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Advertisement

Products Affected

baicells

nova430l
neutrino_430
nova430e_firmware
nova430e
nova436q_firmware
neutrino_430_firmware
nova430l_firmware
nova436q

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://baicells.com/Service/Firmware", "name": "https://baicells.com/Service/Firmware", "tags": ["Patch", "Vendor Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-77"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2023-0776", "ASSIGNER": "security@baicells.com"}}, "impact": {"baseMetricV3": {"cvssV3": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}}, "publishedDate": "2023-02-11T01:23Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:baicells:neutrino_430_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "qrtb_2.12.7"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:baicells:neutrino_430:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:baicells:nova430l_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "qrtb_2.12.7"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:baicells:nova430l:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:baicells:nova430e_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "qrtb_2.12.7"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:baicells:nova430e:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:baicells:nova436q_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "qrtb_2.12.7"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:baicells:nova436q:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-13T21:00Z"}