CVE-2021-43339
published 2021-11-03CVE-2021-43339: In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.56%
94.9th percentile
In Ericsson Network Location before 2021-07-31, it is possible for an authenticated attacker to inject commands via file_name in the export functionality. For example, a new admin user could be created.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ericsson | network_location | < 2021-07-31 | 2021-07-31 |
Detection & IOCsextracted from sources · hover to see the quote
url/[CLS_ID]/[CLS_NODE_TYPE]/smpp/export?file_name=/export/home/mpcadmin/[FILENAME]&host=[HOSTNAME]↗
url/[CLS_ID]/[CLS_NODE_TYPE]/psap/wireless/specific_routings/export?file_name=/export/home/mpcadmin/[FILENAME]↗
- →Monitor HTTP GET requests to export endpoints containing 'file_name' parameter with pipe-encoded characters (%7C) or shell metacharacters, indicating command injection attempts via the file_name parameter. ↗
- →Detect authentication attempts to the NLG login API endpoint POST /api/login/nlg/gmpc/auth/tokens with JSON body containing 'auth','method','password' fields, followed immediately by export endpoint access — indicative of the exploit's login-then-inject flow. ↗
- →Detect X-Auth-Token header present on GET requests to export paths under /api/value/v1/data/ — the exploit authenticates first and then replays the token on all injection requests. ↗
- →Alert on outbound netcat listener setup (mkfifo + nc -l -p 1544) originating from the MPS server process, indicating successful RCE and bind-shell establishment. ↗
- →There are a total of 20 vulnerable export areas across cells, psap, numbering, and smpp fields; monitor all four path patterns for anomalous file_name values. ↗
- ·The exploit targets a specific product version; verify the cluster version before applying detections to avoid false positives on other Ericsson NLG deployments. ↗
- ·The exploit requires an authenticated session (valid USERNAME/PASSWORD); detections should account for the pre-authentication login step before the injection occurs. ↗
- ·The exploit uses SSL on port 10083 by default; ensure TLS inspection is enabled on the monitoring path or detections will be blind to the injected payloads. ↗
- ·The exploiting user must have 'gmpc_celldata_admin' role for the cells/gsm/cgi_cells path; privilege level affects which of the 20 vulnerable endpoints are reachable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://pentest.com.tr/blog/RCE-via-Meow-Variant-along-with-an-Example-0day-PacketHackingVillage-Defcon29.htmlhttps://www.exploit-db.com/exploits/50468https://www.exploit-db.com/exploits/50469https://pentest.com.tr/blog/RCE-via-Meow-Variant-along-with-an-Example-0day-PacketHackingVillage-Defcon29.htmlhttps://www.exploit-db.com/exploits/50468https://www.exploit-db.com/exploits/50469
2021-11-03
Published