Baicells Nova

Plan PatchCVSS 9.8ICS-CERT ICSA-23-033-03Feb 2, 2023

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A command injection vulnerability in Baicells Nova 227, 233, 243, and 246 small cell base stations allows an unauthenticated attacker to execute arbitrary commands on the device. The vulnerability exists in firmware version RTS/RTD_3.6.6 and earlier due to improper validation of user-supplied input. Successful exploitation could allow an attacker to execute arbitrary system commands with the privileges of the base station process, potentially disrupting cellular service, intercepting signaling traffic, or establishing persistence.

What this means

What could happen

An attacker could execute arbitrary commands on Baicells Nova small cell base stations, potentially disrupting cellular network connectivity for emergency services and critical infrastructure communications that depend on mobile backhaul.

Who's at risk

Cellular network operators and communications service providers running Baicells Nova 227, 233, 243, or 246 small cell base stations. Organizations relying on these base stations for primary or backup cellular connectivity in rural or distributed environments should prioritize remediation to maintain network availability.

How it could be exploited

An attacker on the network can send a specially crafted command input to the Nova device without authentication. The device fails to properly validate or sanitize the command, allowing execution of arbitrary system commands on the base station processor.

Prerequisites

Network access to the Nova device management interface or API port
No authentication required
Device running firmware version RTS/RTD_3.6.6 or earlier

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for affected firmware versionsAffects communications infrastructureCWE-77 improper neutralization of special elements in command

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Nova 227: <=RTS/RTD_3.6.6≤ RTS/RTD 3.6.63.7.11.6

Nova 233: <=RTS/RTD_3.6.6≤ RTS/RTD 3.6.63.7.11.6

Nova 243: <=RTS/RTD_3.6.6≤ RTS/RTD 3.6.63.7.11.6

Nova 246: <=RTS/RTD_3.6.6≤ RTS/RTD 3.6.63.7.11.6

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to Nova management interfaces; place base stations behind firewalls and isolate from business networks

WORKAROUNDDisable remote management access unless required; use VPN with strong authentication if remote access is necessary

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Baicells Nova devices (all models) to firmware version 3.7.11.6 or later via OMC or manual download from Baicells community page

Long-term hardening

0/1

HARDENINGMonitor Nova devices for unauthorized command execution or unexpected process activity

CVEs (1)

CVE-2023-24508

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/eda5959d-9ece-479e-9d7a-1c40e233e8b7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.