Nokia moves to patch vulnerable mobile baseband kit

By

CISA issues warning.

Nokia has moved to patch vulnerabilities that could put mobile telecommunications networks at risk of compromise.

Nokia moves to patch vulnerable mobile baseband kit

The vulnerabilities came to light via a recent US Cybersecurity and Infrastructure Security Agency (CISA) advisory, with all vulnerabilities rated High severity (CVSS score 8.4).

CISA said the vulnerabilities include improper access controls for volatile memory containing boot code; and the discovery that data assumed to be immutable is stored in writable memory.

Successful exploitation could result in Nokia baseband units executing a malicious kernel, running malicious programs, or running modified Nokia programs.

In CVE-2022-2482 (not yet published in the Mitre CVE list), Nokia ASIK AirScale system module versions 474021A.101 and 474021A.102 could let an attacker “place a script on the file system accessible from Linux," CISA said.

That script could allow for “arbitrary code execution in the bootloader.”

CVE-2022-2484 is a signature check bypass in AirScale system module version 474021A.101, allowing an attacker can run modified firmware. 

“This could result in the execution of a malicious kernel, arbitrary programs, or modified Nokia programs," CISA said.

Finally, in CVE-2022-2483, the bootloader in the AirScale system module versions 474021A.101 and 474021A.102 “loads public keys for firmware verification signature. 

“If an attacker modifies the flash contents to corrupt the keys, secure boot could be permanently disabled on a given device,” the advisory stated.

Nokia has patched all three vulnerabilities.

Discovery is attributed to Joel Cretan of Red Balloon Security.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Services Australia's sweeping security uplift plans for myGov

Services Australia's sweeping security uplift plans for myGov

Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach

Northern Beaches Council reviews security stack to shore up widening perimeter

Northern Beaches Council reviews security stack to shore up widening perimeter

CrowdStrike rejects Delta Air Lines claims over outage

CrowdStrike rejects Delta Air Lines claims over outage

Log In

  |  Forgot your password?