- EXECUTIVE SYNOPSIS
10.0 CVSS v3
ATTENTION: Remotely exploitable/low attack complexity
Airspan Networks is the vendor.
Mimosa by Airspan product line of equipment
Vulnerabilities: Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, Use of a Broken or Risky Cryptographic Algorithm
- RISK ANALYSIS
An attacker could gain access to user data (including organisation details) and other sensitive data, compromise Mimosa’s AWS (Amazon Web Services) cloud EC2 instance and S3 Buckets, and execute unauthorised remote code on all cloud-connected Mimosa devices if these vulnerabilities are successfully exploited.
- TECHNICAL INFORMATION
3.1 PRODUCTS AFFECTED
The Mimosa by Airspan product line, which is a network management software platform, is impacted by this vulnerability:
PTP C-series: Device versions previous to v126.96.36.199 PTMP C-series and A5x: Device versions prior to v188.8.131.52 3.2 MMP: All versions before to v1.0.3 PTP C-series: Device versions prior to v184.108.40.206 PTMP C-series and A5x: Device versions prior to v220.127.116.11 OVERVIEW OF VULNERABILITY
3.2.1 INAPPROPRIATE AUTHORIZATION CWE-285
On various API routes, the impacted product fails to execute sufficient authorisation and authentication checks. An attacker might get access to these API routes and use them to execute remote code, cause a denial-of-service condition, and steal sensitive data.
3.2.2 INAPPROPRIATE AUTHORIZATION CWE-863
On many API functions, the impacted product does not execute sufficient authorization checks. An attacker might acquire access to these functions and use them to execute remote code, cause a denial-of-service condition, and steal sensitive data.
This vulnerability has been awarded the CVE-2022-21141 designation. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), and the CVSS base score is 10.0.
CWE-918 3.2.3 SERVER-SIDE REQUEST FORGERY (SSRF)
An attacker might use this flaw to force the server to construct and execute a web request allowing access to backend APIs that are only available to the Mimosa MMP server, or request pages that could do various operations on their own. The attacker might force the server to access routes, secret keys, and configurations on certain cloud-hosting platforms.
This flaw has been given the number CVE-2022-21215. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), and the CVSS base score is 10.0.
3.2.4 NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A SQL COMMAND (‘SQL INJECTION’) IS INAPPROPRIATE CWE-89
Because the compromised product does not properly sanitise user input, an attacker might use SQL injection to get sensitive data.
This vulnerability has been awarded the CVE-2022-21176 designation. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and has a CVSS v3 base score of 8.6.
3.2.5 UNTRUSTED DATA DESERIALIZATION CWE-502
A deserialization function in the affected product does not validate or check the data, allowing arbitrary classes to be produced.
This vulnerability has been awarded the CVE-2022-0138 designation. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and has a CVSS v3 base score of 7.5.
3.2.6 NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND THAT IS INAPPROPRIATE (‘OS COMMAND INJECTION’) CWE-78
In multiple places, the affected product fails to properly sanitise user input, allowing an attacker to inject arbitrary commands.
This vulnerability has been awarded the CVE-2022-21143 designation. The CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and has a CVSS v3 base score of 9.8.
3.2.7 APPLICATION OF A RISKY OR BROKEN CRYPTOGRAPHIC ALGORITHM CWE-327
The concerned product hashes passwords using the MD5 technique before storing them, but it does not salt the hash. As a result, attackers may be able to crack the passwords that have been hashed.
This flaw has been given the number CVE-2022-21800. The CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). A CVSS v3 base score of 6.5 has been calculated.
SECTORS OF ESSENTIAL INFRASTRUCTURE: COMMUNICATIONS
DEPLOYED COUNTRIES/AREAS: WORLDWIDE
THE HEADQUARTERS OF THE COMPANY ARE LOCATED IN THE UNITED STATES.
These flaws were submitted to CISA by Claroty’s Noam Moshe.
- PREVENTIVE MEASURES
Users are advised to update to the following products (login required) by Airspan Networks:
Version 1.0.4 or later of MMP
C5x: Version 2.90 or later PTP: C5x: Version 2.90 or later PTP: C5x: Version 2.90
Version 2.90 or later of C5c
Version 2.9.0 or later of the PTMP: C-series
Version 2.9.0 or later is required for A5x.
CISA advises users to take defensive actions to reduce the chance of these vulnerabilities being exploited. Users should, in particular,:
All control system devices and/or systems should have as little network exposure as possible, and they should not be accessible from the Internet.
Isolate control system networks and distant devices from the corporate network by placing them behind firewalls.
When remote access is essential, employ secure means such as Virtual Private Networks (VPNs), keeping in mind that VPNs may contain vulnerabilities and should be updated to the latest version available. Also keep in mind that a VPN is only as safe as the devices it connects to.
Before installing defensive measures, CISA advises enterprises to conduct a thorough effect analysis and risk assessment.
On the ICS webpage at cisa.gov, CISA also has a section dedicated to control system security best practises. Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies is one of several recommended practises that can be read and downloaded.
Additional mitigation recommendations and best practises are provided in the Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies, which may be found on the ICS webpage at cisa.gov.
Organizations should follow their own protocols if they suspect malicious activity and report their findings to CISA for tracking and linkage with other instances.
There are no publicly available exploits that directly target these flaws.