Skip navigation
Previous searches
    Suggested searches

      Security Bulletin – Ericsson Network Manager, April 2024

      Summary:

      Ericsson released an update for Ericsson Network Manager to address a security issue that may lead to information disclosure or code execution.

      Vulnerability description:

      CVE-2024-25007 - Ericsson Network Manager (ENM), versions prior to 23.1, contains a vulnerability in the export function of application log where Improper Neutralization of Formula Elements in a CSV File can lead to code execution or information disclosure. There is limited impact to integrity and availability. The attacker on the adjacent network with administration access can exploit the vulnerability.

      CVSS base score: 7.1   Severity: High
      CVSS vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L
      Weakness type: CWE-1236 - Improper Neutralization of Formula Elements in a CSV File (‘CSV Injection’)

      Security update:

      The following table lists the Ericsson software products affected, versions affected, and the fixed version that includes this security update. To protect your system, download and install the fixed version.

      CVE addressed

      Product name

      Affected versions

      Fixed versions

      CVE-2024-25007

      Ericsson Network Manager

      All versions prior to 23.1

      23.1 or later

       

      Acknowledgement:

      Ericsson thanks Luca Borzacchiello, Andrea Carlo Maria Dattola, Massimiliano Ferraresi, Massimiliano Brolli of TIM Security Red Team Research, TIM S.p.A. for reporting this issue.

      Additional information:

      • Ericsson severity assessment of a vulnerability is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your organization. We recommend evaluating the risk to your specific configuration.
      • If you have any questions regarding this bulletin, please reach out to your local Ericsson support representative.
      • Learn more about the vulnerability management process followed by the Ericsson Product Security Incident Response Team (PSIRT), see Ericsson PSIRT page (https://www.ericsson.com/en/about-us/security/psirt).

      Revision history:

      Revision

      Date

      Description

      1.0

      April 4, 2024

      Initial Release

      © Ericsson AB 2024. All rights reserved. No part of this message may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this message. For questions, please contact Ericsson Local Support or connect with us on the Omni Network Channel section of My Ericsson. Visit us at Support User Preferences to unsubscribe.