CVE-2023-0776
published 2023-02-11CVE-2023-0776: Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code…
PriorityP263critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
1.19%
64.1th percentile
Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| baicells | neutrino_430 | <= 2.12.7 | — |
| baicells | neutrino_430_firmware | <= qrtb_2.12.7 | — |
| baicells | nova430e_firmware | <= qrtb_2.12.7 | — |
| baicells | nova430l_firmware | <= qrtb_2.12.7 | — |
| baicells | nova436q_firmware | <= qrtb_2.12.7 | — |
| baicells | nova_430e | <= 2.12.7 | — |
| baicells | nova_430i | <= 2.12.7 | — |
| baicells | nova_436q | <= 2.12.7 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is exploitable via HTTP command injection on Baicells LTE eNodeB devices, executed pre-login with root permissions — monitor for unexpected HTTP requests targeting device management interfaces ↗
- →Affected firmware versions are QRTB 2.12.7 and earlier on Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 — fingerprint device firmware version in network asset inventory to identify exposed devices ↗
- →Exploitation requires no authentication (PR:N, UI:N per CVSS vector) — alert on unauthenticated HTTP requests to management interfaces of Baicells eNodeB devices ↗
- ·The CISA advisory contains a contradictory statement indicating 'This vulnerability is not exploitable remotely,' which conflicts with the CVSS vector (AV:N) and the NVD description stating it is remotely exploitable via HTTP — treat the device as remotely exploitable pending clarification ↗
- ·Patched firmware version is QRTB 2.12.8 — devices still running QRTB 2.12.7 or earlier should be treated as unpatched and at risk ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Baicells Nova
cisa_ics·2023-03-02·CVSS 8.1
[HIGH] Baicells Nova
ICS Advisory
##
Baicells Nova
Release DateMarch 02, 2023
Alert CodeICSA-23-061-02
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Baicells
- Equipment: Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430
- Vulnerability: Command injection
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow commands performed using pre-login execution and with root permissions.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Baicells reports this vulnerability affects the following LTE TDD eNodeB devices with firmware versions through QRTB 2.12.7:
- Nova 436Q
- Nova 430E
- Nova 430I
- Neutrino 430
## 3.2 VULNERABILITY OVERVIEW
3.2.1 COMMAND INJECTION CWE-77
Baicells Nova 436Q, Nova 4
GHSA
GHSA-5r9j-84ww-47gm: Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2
ghsa_unreviewed·2023-02-11
CVE-2023-0776 [CRITICAL] CWE-77 GHSA-5r9j-84ww-47gm: Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2
Baicells Nova 436Q, Nova 430E, Nova 430I, and Neutrino 430 LTE TDD eNodeB devices with firmware through QRTB 2.12.7 are vulnerable to remote shell code exploitation via HTTP command injections. Commands are executed using pre-login execution and executed with root permissions. The following methods below have been tested and validated by a 3rd party analyst and has been confirmed exploitable special thanks to Rustam Amin for providing the steps to reproduce.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-02-11
Published