CVE-2022-28864
📋 TL;DR
CVE-2022-28864 is a CSV injection vulnerability in Nokia NetAct's Administration of Measurements website section. Malicious users can inject code into templateName parameters that gets executed when victims download manipulated .csv or .xlsx files. This affects Nokia NetAct versions 22 through the Administration of Measurements component.
💻 Affected Systems
- Nokia NetAct
📦 What is this software?
Netact by Nokia
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution on victim machines when malicious spreadsheets are opened, potentially leading to full system compromise, data theft, and lateral movement within networks.
Likely Case
Local code execution on victim workstations when users open manipulated files, potentially leading to malware installation, credential theft, and limited system compromise.
If Mitigated
Limited impact with proper user training about opening untrusted files and application whitelisting preventing malicious code execution.
🎯 Exploit Status
Requires authenticated access to the NetAct web interface but CSV injection techniques are well-known and easily weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: https://www.gruppotim.it/it/footer/red-team.html
Restart Required: Yes
Instructions:
1. Contact Nokia support for patch availability 2. Apply the latest NetAct security updates 3. Restart affected services 4. Verify patch application
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation to sanitize templateName parameter inputs, removing or escaping special characters that could enable CSV injection.
Access Control Restriction
allRestrict access to /aom/html/ endpoints to only authorized administrative users and implement additional authentication controls.
🧯 If You Can't Patch
- Implement network segmentation to isolate NetAct systems from general user workstations
- Deploy application whitelisting to prevent execution of malicious code from downloaded files
🔍 How to Verify
Check if Vulnerable:
Test if templateName parameter accepts special characters like =, +, -, @ followed by commands in EditTemplate.jsf and ViewAllTemplatesPage.jsf endpoints.Check Version:
Check NetAct administration interface for version information or consult system documentation.Verify Fix Applied:
Attempt CSV injection payloads in templateName parameter and verify they are properly sanitized or rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual template creation/modification patterns
- Multiple failed injection attempts in web logs
- Suspicious parameter values containing command characters
Network Indicators:
- Unusual file downloads from NetAct web interface
- Multiple requests to template endpoints with special characters
SIEM Query:
source="netact-web" AND (uri="/aom/html/EditTemplate.jsf" OR uri="/aom/html/ViewAllTemplatesPage.jsf") AND (param="templateName" AND value MATCHES "[=+\-@].*")