CVE-2022-30280 – This CSRF vulnerability in Nokia NetAct allows ... (How to Fix)

Q: What is the severity of CVE-2022-30280?

CVE-2022-30280 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in Nokia NetAct allows attackers to create users with arbitrary privileges, including administrative accounts, by tricking authenticated users into visiting malicious web pages. It affects Nokia NetAct version 22 installations with the SecurityManagement module exposed. Both internet-facing and internal deployments are at risk.

📋 TL;DR

This CSRF vulnerability in Nokia NetAct allows attackers to create users with arbitrary privileges, including administrative accounts, by tricking authenticated users into visiting malicious web pages. It affects Nokia NetAct version 22 installations with the SecurityManagement module exposed. Both internet-facing and internal deployments are at risk.

💻 Affected Systems

Products:

Nokia NetAct

Versions: Version 22

Operating Systems: Not specified - likely various Linux distributions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires SecurityManagement module to be accessible and user to be authenticated to NetAct web interface.

📦 What is this software?

Netact by Nokia

View all CVEs affecting Netact →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the NetAct system through creation of administrative accounts, leading to unauthorized access, data exfiltration, and potential lateral movement to connected telecom infrastructure.

🟠

Likely Case

Attackers create backdoor administrative accounts through phishing campaigns targeting NetAct administrators, leading to persistent unauthorized access.

🟢

If Mitigated

With proper CSRF protections and network segmentation, impact is limited to isolated administrative interfaces with no critical data exposure.

🌐 Internet-Facing: HIGH - Web interface exposed to internet allows remote attackers to exploit via phishing without network access.

🏢 Internal Only: HIGH - Internal users can still be phished, and once exploited, provides administrative access to critical telecom management system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires victim to be authenticated and visit malicious page. Simple HTML/JavaScript payload can trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in references - check Nokia security advisories

Vendor Advisory: Not provided in CVE references

Restart Required: Yes

Instructions:

1. Contact Nokia support for security patches. 2. Apply patch following Nokia's deployment procedures. 3. Restart NetAct services as required. 4. Verify CSRF protection is implemented in createuser.jsf endpoint.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF token validation to /SecurityManagement/html/createuser.jsf endpoint

Requires code modification - consult Nokia documentation for CSRF implementation

Network Segmentation

linux

Restrict access to NetAct web interface to trusted networks only

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port port="443" protocol="tcp" accept'
iptables -A INPUT -s TRUSTED_NETWORK -p tcp --dport 443 -j ACCEPT

🧯 If You Can't Patch

Implement strict network access controls to limit NetAct web interface access to administrative VLANs only
Deploy web application firewall with CSRF protection rules and monitor for suspicious user creation attempts

🔍 How to Verify

Check if Vulnerable:

Test /SecurityManagement/html/createuser.jsf endpoint for CSRF token validation by attempting POST requests without valid tokens

Check Version:

Check NetAct version through web interface or consult Nokia documentation for version checking procedures

Verify Fix Applied:

Verify that POST requests to createuser.jsf without valid CSRF tokens are rejected with appropriate error responses

📡 Detection & Monitoring

Log Indicators:

Multiple user creation events from same IP/session
User creation with administrative privileges from non-standard locations
Failed CSRF token validation attempts

Network Indicators:

HTTP POST requests to createuser.jsf without Referer headers
Requests with suspicious user agent strings or from unexpected geolocations

SIEM Query:

source="netact_logs" AND (event_type="user_creation" AND privilege_level="admin") | stats count by src_ip, user_agent

📊 Metadata

CVE ID: CVE-2022-30280

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: July 24, 2023

Last Updated: November 21, 2024

🔗 References

https://www.gruppotim.it/it/footer/red-team.html Exploit,Third Party Advisory
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html Not Applicable
https://www.gruppotim.it/it/footer/red-team.html Exploit,Third Party Advisory
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30280, you might also want to check these: