La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-39820

CVE-2022-39820 – NOKIA NFM-T Network Element Manager

Vulnerability Description: Unprotected Storage of Credentials – CWE-256

Software Version: R19.9

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-39820

CVSv3: 6.5

Severity: Medium

Credits: Luca Di Giuseppe, Alessandro Bosco, Stefano Scipioni, Massimiliano Brolli

Access credentials for the web application are stored in clear text on the filesystem

 

Step-by-step instructions and PoC

A remote user, authenticated to the operating system, with access privileges to the directory “/root” and “/DEPOT”, is able to read credentials to access the web portal NFM-T and control all the PPS Network elements.

 

Affected files:

·       PATH: “/root/RestUploadManager.xml.DRC”

·       PATH: “/DEPOT/KECustom_199/OTNE_DRC/RestUploadManager.xml”

 

Below is the evidence with the vulnerability details.

Security Impact

 

An unauthorized user can access the web application with the highest privileges.