Red TIM Research found two rare flaws in Ericsson OSS-RC component

Red TIM Research found two rare flaws in Ericsson OSS-RC component

The Red Team Research (RTR), the bug’s research division from Italian Telecommunication firm TIM, found 2 new vulnerabilities affecting the Ericsson OSS-RC.

What is the OSS (Operations Support System)?

The Operations Support System – Radio and Core (OSS-RC) provides a centralized interface into the radio and core components.

The Operations Support Systems are all those systems used by companies that provide communication services for networks’ integrated function.

Let’s consider the case of the activation of a new line for a customer, while the order and customer data are collected through the CRM, the configuration of the network is automated through the OSS.

For example, let’s consider the case of a client that requires the activation of a new telephone line. The systems that handle these requests/CRM gather user data, but it isn’t able to configure the network to provide the service to the customer. The OSSs allow telecommunications carriers to automate this process and also to carry out management operations of the networks, such as the update of the base-band systems located on the buildings of our cities.

Unfortunately, OSS systems also represent a “single-point-of-failure,” a Remote Code Execution (RCE) vulnerability affecting an OSS can allow attackers to potentially compromise all connected systems, including basebands.

The vulnerabilities have been reported to Ericsson by the researchers Alessandro Bosco, Mohamed Amine Ouad, and by the head of laboratory Massimiliano Brolli.

Below is the list of flaws reported to the vendor since 2001 and included in the National Vulnerability Database of the United States of America. They were only 10, two of which reported by the TIM.

Ericsson di Operations Support System OSS-RC 1

Below the details for the two flaws published on the official page of the TIM RTR project.

CVE-2021-32569

In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager.

  • Vulnerability Description: Improper Neutralization of Input During Web Page Generation (‘Reflected Cross-site Scripting’). – CWE-79 Software Version: <=18B NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-32569 CVSv3: 6.1 Severity: Medium Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
  • NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.

CVE-2021-32571

In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only.

  • Vulnerability Description: Incomplete Cleanup. – CWE-459 Software Version: <=18B NIST: https://nvd.nist.gov/vuln/detail/CVE-2021-32571 CVSv3: 4.9 Severity: Medium Credits: Alessandro Bosco, Mohamed Amine Ouad, Massimiliano Brolli
  • NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.

Ethics in the search for vulnerabilities, in this historical period, is something very important and once identified, these vulnerabilities not documented (c.d. zeroday) must be immediately reported to the vendor avoiding to provide public information that allows their active exploitation by Threat Actors (TA) on systems without patches.

The TIM RTR laboratory has already discovered over 60 zero-day issues in the last two years, 4 of these vulnerabilities received a CSSV score of 9.8.

TIM is a leading company in the research of zero-day vulnerabilities and the results demonstrate the success of the RTR project.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, cyber security)




Leave a Reply

Your email address will not be published.