Nokia moves to patch vulnerable mobile baseband kit

By on
Nokia moves to patch vulnerable mobile baseband kit

CISA issues warning.

Nokia has moved to patch vulnerabilities that could put mobile telecommunications networks at risk of compromise.

The vulnerabilities came to light via a recent US Cybersecurity and Infrastructure Security Agency (CISA) advisory, with all vulnerabilities rated High severity (CVSS score 8.4).

CISA said the vulnerabilities include improper access controls for volatile memory containing boot code; and the discovery that data assumed to be immutable is stored in writable memory.

Successful exploitation could result in Nokia baseband units executing a malicious kernel, running malicious programs, or running modified Nokia programs.

In CVE-2022-2482 (not yet published in the Mitre CVE list), Nokia ASIK AirScale system module versions 474021A.101 and 474021A.102 could let an attacker “place a script on the file system accessible from Linux," CISA said.

That script could allow for “arbitrary code execution in the bootloader.”

CVE-2022-2484 is a signature check bypass in AirScale system module version 474021A.101, allowing an attacker can run modified firmware. 

“This could result in the execution of a malicious kernel, arbitrary programs, or modified Nokia programs," CISA said.

Finally, in CVE-2022-2483, the bootloader in the AirScale system module versions 474021A.101 and 474021A.102 “loads public keys for firmware verification signature. 

“If an attacker modifies the flash contents to corrupt the keys, secure boot could be permanently disabled on a given device,” the advisory stated.

Nokia has patched all three vulnerabilities.

Discovery is attributed to Joel Cretan of Red Balloon Security.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
5gairscaleasiknokiasecurity

Sponsored Whitepapers

Adjusting to a New Era in Ransomware Risk
Adjusting to a New Era in Ransomware Risk
The Total Economic Impact&#8482; Of Juniper Connected Security
The Total Economic Impact™ Of Juniper Connected Security
State of Ransomware Report 2022
State of Ransomware Report 2022
Conquering the IT Challenges of Remote and Hybrid Work
Conquering the IT Challenges of Remote and Hybrid Work
Forrester Study APAC: Don&#8217;t Just Educate, Create Cybersafe Behaviour
Forrester Study APAC: Don’t Just Educate, Create Cybersafe Behaviour

Events

Most Read Articles

Huawei ban hobbled competition, Optus claims

Huawei ban hobbled competition, Optus claims
Medibank says it won't pay ransom

Medibank says it won't pay ransom
APA, Viterra caught up in Frontier ransomware attack

APA, Viterra caught up in Frontier ransomware attack
OpenSSL downgrades email address bug from critical to high

OpenSSL downgrades email address bug from critical to high

Digital Nation

Case Study: Munro Footwear Group changes &#8216;every system imaginable&#8217; says CTO Keng Ng
Case Study: Munro Footwear Group changes ‘every system imaginable’ says CTO Keng Ng
COVER STORY: Gen Z forces universities to digitally transform
COVER STORY: Gen Z forces universities to digitally transform
Case Study: Bendigo and Adelaide bank turn to AWS and Google for front and backend
Case Study: Bendigo and Adelaide bank turn to AWS and Google for front and backend
Six trends driving metaverse technologies: Gartner
Six trends driving metaverse technologies: Gartner
Web3 skills shortage creates project backlog until 2024
Web3 skills shortage creates project backlog until 2024

Log In

  |  Forgot your password?