Nokia has published a security advisory warning customers of two high-severity vulnerabilities affecting its CloudBand Infrastructure Software (CBIS) and Nokia Container Services (NCS) platforms. The flaws — an authentication bypass and a remote code execution (RCE) bug — carry CVSS base scores of 9.6 and 8.4 respectively, making them critical risks for telecom and enterprise operators.
CVE-2023-49564 – Authentication Bypass (CVSS 9.6)
According to Nokia, “The CBIS/NCS Manager API is vulnerable to an authentication bypass. By sending a specially crafted HTTP header, an unauthenticated user can gain unauthorized access to API functions”
The weakness lies in poor verification mechanisms within the authentication implementation of the Nginx Podman container. Exploiting this flaw could allow attackers to reach restricted or sensitive API endpoints without valid credentials, effectively granting them elevated access to management interfaces.
Nokia advises customers that “The risk can be partially mitigated by restricting access to the management network using [an] external firewall.”
CVE-2023-49565 – Remote Code Execution (CVSS 8.4)
The second vulnerability is even more alarming. “The cbis_manager Podman container is vulnerable to remote command execution via the /api/plugins endpoint,” Nokia notes.
Improper sanitization of HTTP headers — specifically X-FILENAME, X-PAGE, and X-FIELD — allows malicious values to be passed directly into the subprocess.Popen Python function. This enables remote attackers to inject arbitrary commands.
Because the web service runs with root privileges in the container, exploitation could lead to full system compromise. As Nokia explains, “The demonstrated remote code execution permits an attacker to acquire elevated privileges for the command execution.”
Affected Products and Versions
- CBIS 22
- NCS 22.12 and NCS 23.10
Mitigation and Fixes
Nokia has already issued fixes for both vulnerabilities:
- CBIS 22 FP1 MP1.2
- NCS 22.12 MP3
- NCS 23.10 MP1
Administrators are strongly urged to upgrade immediately and restrict access to the management network to reduce exposure while applying the patches.
