Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label U.S. Manufacturer. Show all posts

Critical Baicells Device Vulnerability Could Make Telecom Networks Vulnerable to Spying

 

Baicells Technologies is a US-based manufacturer of 4G and 5G telecommunications equipment. According to the company, more than 100,000 of its base stations have been installed in 64 different nations worldwide. 

A serious flaw in wireless communication base stations made by Baicells Technologies can be used to take full control of voice and data traffic or to disrupt telecom networks, the latest report revealed. 

Rustam Amin, a threat analyst, has found that at least a few of Baicells' Nova base station products are vulnerable to a serious command injection flaw that can be remotely exploited without authentication by sending specially crafted HTTP requests to the targeted device.

Amin said that by making use of the weakness, known as CVE-2023-24508, an attacker may be able to execute shell commands with root capabilities and seize total control of a device. The researcher explained that a device might be quickly shut down by an attacker in order to interrupt operations. A targeted network's phone calls and traffic might also be completely under their control. Phone numbers, IMEIs, and location data might all be obtained by a hacker.

However, carrying out such an assault is not a simple task and necessitates in-depth familiarity with the targeted network. Amin informed SecurityWeek that there are more than 1,150 internet-accessible devices, most of which are situated in the United States. On January 24, Baicells released a warning to let clients know about the flaw. 

The researcher reported that the vendor responded quickly to his notification and quickly released a patch. The impacted base stations are Nova 227, 233, 243, and 246. With the introduction of version 3.7.11.3, the security flaw has been fixed. Although other items may also be compromised, the vendor's advice only lists Nova products as being affected. 

Last week, a warning about CVE-2023-24508 was released by the US Cybersecurity and Infrastructure Security Agency (CISA). Amin recently found several flaws that might be used to manipulate traffic signals in the Econolite EOS traffic controller software.