Summary:
Ericsson has released an update for RAN Compute and Site Controller 6610 to address security issues that, if unpatched, may lead to remote code execution from an attacker on the device within a protected network that could ultimately result in shell access to the underlying Linux operating system.
Vulnerability description:
This section summarizes the vulnerability issue and potential impact addressed by this security update.
CVE-2024-25008 – Ericsson RAN Compute and Site Controller 6610 contains a vulnerability in the Control System where Improper Input Validation can lead to arbitrary code execution, for example to obtain a Linux Shell with the same privileges as the attacker. The attacker would require elevated privileges for example a valid OAM user having the system administrator role to exploit the vulnerability.
CVSS base score: 6.8
Severity: Medium
CVSS vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weakness type: CWE-20 - Improper Input Validation
Security update:
The following table lists the Ericsson products affected, versions affected, and the updated version that includes this security update. To protect your system, download and install the updated version.
CVE addressed | Product name | Affected versions | Updated versions |
---|---|---|---|
CVE-2024-25008 | Ericsson RAN Compute Basebands (all BB variants) | All SW releases prior to 24.Q2 | 24.Q1 IP1 23.Q4 C1 23.Q3 C3 23.Q2 C5 23.Q1 C5 LTE only 22.Q4 C6 LTE only |
CVE-2024-25008 | Site Controller 6610 | All versions prior to 24.Q2 | 24.Q2 |
Additional information:
- Ericsson severity assessment of a vulnerability is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your organization. We recommend evaluating the risk to your specific configuration.
- If you have any questions regarding this bulletin, please reach out to your local Ericsson support representative.
- Learn more about the vulnerability management process followed by the Ericsson Product Security Incident Response Team (PSIRT), see Ericsson PSIRT page.
Revision history:
Revision | Date | Description |
---|---|---|
1.0 | August 16, 2024 | Initial Release |
© Ericsson AB 2024. All rights reserved. No part of this message may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this message. For questions, please contact Ericsson Local Support or connect with us on the Omni Network Channel section of My Ericsson. Visit us at Support User Preferences to unsubscribe.