The Baicells Nova 227, Nova 233, Nova 243 LTE TDD eNodeB devices and Nova 246 with firmware through RTS/RTD 3.6.6 are vulnerable to a remote shell code exploitation via HTTP command injections. If exploited, this vulnerability could allow an attacker to execute arbitrary commands with root permissions. CVE-2023-24508 has been assigned to this issue and a CVSS v3 base score of 9.8 has been calculated. To mitigate this risk, Baicells has released firmware version 3.7.11.3 and later, which can be downloaded from the Baicells community page or upgraded via OMC. CISA recommends users take defensive measures to minimize the risk of exploitation, such as minimizing network exposure for all control system devices and/or systems, and ensuring they are not accessible from the Internet. Additionally, CISA provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. If any suspicious activity is observed, organizations should follow established internal procedures and report findings to CISA.
This Cyber News was published on us-cert.cisa.gov. Publication date: Thu, 02 Feb 2023 17:44:03 +0000