CVE-2023-24508: Baicells RTD Firmware RCE Vulnerability

CVE-2023-24508 Overview

CVE-2023-24508 is a critical command injection vulnerability affecting Baicells Nova 227, Nova 233, Nova 243, and Nova 246 LTE TDD eNodeB devices with firmware versions through RTS/RTD 3.6.6. The vulnerability enables remote attackers to execute arbitrary shell commands via HTTP command injections without authentication. Commands are executed in a pre-login context with root permissions, providing complete control over affected network infrastructure devices.

Critical Impact
Unauthenticated attackers can remotely execute arbitrary commands with root privileges on critical telecommunications infrastructure, potentially compromising entire wireless network deployments.

Affected Products

Baicells Nova 227 LTE TDD eNodeB with RTS/RTD firmware through version 3.6.6
Baicells Nova 233 LTE TDD eNodeB with RTS/RTD firmware through version 3.6.6
Baicells Nova 243 LTE TDD eNodeB with RTS/RTD firmware through version 3.6.6
Baicells Nova 246 with RTS/RTD firmware through version 3.6.6
Baicells RTS firmware versions prior to 3.7.11.6
Baicells RTD firmware versions prior to 3.7.11.6

Discovery Timeline

January 26, 2023 - CVE-2023-24508 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-24508

Vulnerability Analysis

This vulnerability resides in the HTTP interface of Baicells eNodeB devices, which fails to properly sanitize user-supplied input before passing it to system shell commands. The critical nature of this flaw stems from two compounding factors: the vulnerable code path is accessible without authentication (pre-login execution), and the commands are executed with root-level privileges on the underlying Linux operating system.

Baicells eNodeB devices serve as essential components in LTE wireless network infrastructure, providing radio access for mobile users. Compromise of these devices could allow attackers to intercept wireless communications, disrupt network services, or use the compromised device as a pivot point for further network intrusion.

The vulnerability was validated by third-party security analyst Rustam Amin, who provided reproduction steps confirming the exploitability of the HTTP command injection vectors.

Root Cause

The root cause of CVE-2023-24508 is improper input validation (CWE-79) in the HTTP request handling code. The firmware fails to sanitize special characters and shell metacharacters in HTTP parameters before incorporating them into system commands. This allows attackers to inject additional commands using standard shell command chaining techniques such as semicolons, pipe operators, or command substitution syntax.

The pre-login accessibility of the vulnerable endpoints means authentication controls are completely bypassed, and the root execution context ensures maximum impact from any injected commands.

Attack Vector

The attack is conducted over the network through the device's HTTP management interface. An attacker can craft malicious HTTP requests containing shell command injection payloads in vulnerable parameters. Due to the pre-authentication nature of the vulnerability, no credentials or prior access is required. The attacker only needs network reachability to the device's management interface.

A successful attack would involve:

Identifying an exposed Baicells eNodeB device with vulnerable firmware
Crafting an HTTP request with command injection payloads in vulnerable parameters
Receiving command execution results or establishing persistent access through reverse shells or implanted backdoors

The attack requires some user interaction according to the CVSS analysis, but once successful, provides complete system compromise with root privileges.

Detection Methods for CVE-2023-24508

Indicators of Compromise

Unusual HTTP requests to Baicells device management interfaces containing shell metacharacters (;, |, $(), backticks)
Unexpected outbound network connections from eNodeB devices to unknown external hosts
Modifications to system files, configurations, or addition of new user accounts on the device
Presence of unauthorized processes or scripts running on the eNodeB device

Detection Strategies

Monitor HTTP traffic to Baicells device management interfaces for command injection patterns in request parameters
Implement network segmentation monitoring to detect anomalous traffic from eNodeB infrastructure
Deploy intrusion detection signatures targeting common command injection payloads in HTTP requests
Conduct periodic firmware version audits to identify devices running vulnerable RTS/RTD versions prior to 3.7.11.6

Monitoring Recommendations

Enable comprehensive logging on all network paths to Baicells device management interfaces
Implement alerting for any outbound connections initiated by eNodeB devices to non-authorized destinations
Establish baseline behavior profiles for eNodeB devices and alert on deviations
Monitor for firmware modification attempts or unauthorized configuration changes

How to Mitigate CVE-2023-24508

Immediate Actions Required

Upgrade all affected Baicells devices to firmware version RTS 3.7.11.6 or later immediately
Restrict network access to device management interfaces using firewall rules and network segmentation
Audit all Baicells eNodeB devices to identify those running vulnerable firmware versions
Review device logs for indicators of prior exploitation attempts

Patch Information

Baicells has released firmware version RTS 3.7.11.6 that addresses this vulnerability. The updated firmware image and changelog are available through the vendor:

Organizations should prioritize updating to the patched firmware version as soon as possible given the critical severity and unauthenticated remote exploitation capability.

Workarounds

Isolate eNodeB management interfaces on dedicated management VLANs inaccessible from untrusted networks
Implement strict firewall rules allowing management access only from authorized administrator IP addresses
Deploy a reverse proxy or web application firewall (WAF) in front of device management interfaces to filter malicious requests
Disable HTTP management interface if not required and use alternative management methods where available

bash

# Example firewall configuration to restrict management access
# Allow management access only from trusted admin subnet
iptables -A INPUT -p tcp --dport 80 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

CVE-2023-24508 Overview

Critical Impact
Unauthenticated attackers can remotely execute arbitrary commands with root privileges on critical telecommunications infrastructure, potentially compromising entire wireless network deployments.

Affected Products

Baicells Nova 227 LTE TDD eNodeB with RTS/RTD firmware through version 3.6.6
Baicells Nova 233 LTE TDD eNodeB with RTS/RTD firmware through version 3.6.6
Baicells Nova 243 LTE TDD eNodeB with RTS/RTD firmware through version 3.6.6
Baicells Nova 246 with RTS/RTD firmware through version 3.6.6
Baicells RTS firmware versions prior to 3.7.11.6
Baicells RTD firmware versions prior to 3.7.11.6

Discovery Timeline

January 26, 2023 - CVE-2023-24508 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-24508

Vulnerability Analysis

The vulnerability was validated by third-party security analyst Rustam Amin, who provided reproduction steps confirming the exploitability of the HTTP command injection vectors.

Root Cause

The pre-login accessibility of the vulnerable endpoints means authentication controls are completely bypassed, and the root execution context ensures maximum impact from any injected commands.

Attack Vector

A successful attack would involve:

Identifying an exposed Baicells eNodeB device with vulnerable firmware
Crafting an HTTP request with command injection payloads in vulnerable parameters
Receiving command execution results or establishing persistent access through reverse shells or implanted backdoors

The attack requires some user interaction according to the CVSS analysis, but once successful, provides complete system compromise with root privileges.

Detection Methods for CVE-2023-24508

Indicators of Compromise

Unusual HTTP requests to Baicells device management interfaces containing shell metacharacters (;, |, $(), backticks)
Unexpected outbound network connections from eNodeB devices to unknown external hosts
Modifications to system files, configurations, or addition of new user accounts on the device
Presence of unauthorized processes or scripts running on the eNodeB device

Detection Strategies

Monitor HTTP traffic to Baicells device management interfaces for command injection patterns in request parameters
Implement network segmentation monitoring to detect anomalous traffic from eNodeB infrastructure
Deploy intrusion detection signatures targeting common command injection payloads in HTTP requests
Conduct periodic firmware version audits to identify devices running vulnerable RTS/RTD versions prior to 3.7.11.6

Monitoring Recommendations

Enable comprehensive logging on all network paths to Baicells device management interfaces
Implement alerting for any outbound connections initiated by eNodeB devices to non-authorized destinations
Establish baseline behavior profiles for eNodeB devices and alert on deviations
Monitor for firmware modification attempts or unauthorized configuration changes

How to Mitigate CVE-2023-24508

Immediate Actions Required

Upgrade all affected Baicells devices to firmware version RTS 3.7.11.6 or later immediately
Restrict network access to device management interfaces using firewall rules and network segmentation
Audit all Baicells eNodeB devices to identify those running vulnerable firmware versions
Review device logs for indicators of prior exploitation attempts

Patch Information

Baicells has released firmware version RTS 3.7.11.6 that addresses this vulnerability. The updated firmware image and changelog are available through the vendor:

Organizations should prioritize updating to the patched firmware version as soon as possible given the critical severity and unauthenticated remote exploitation capability.

Workarounds

Isolate eNodeB management interfaces on dedicated management VLANs inaccessible from untrusted networks
Implement strict firewall rules allowing management access only from authorized administrator IP addresses
Deploy a reverse proxy or web application firewall (WAF) in front of device management interfaces to filter malicious requests
Disable HTTP management interface if not required and use alternative management methods where available

bash

# Example firewall configuration to restrict management access
# Allow management access only from trusted admin subnet
iptables -A INPUT -p tcp --dport 80 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

CVE-2023-24508: Baicells RTD Firmware RCE Vulnerability

CVE-2023-24508 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-24508

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-24508

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-24508

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-24508: Baicells RTD Firmware RCE Vulnerability

CVE-2023-24508 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-24508

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-24508

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-24508

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform