CVE-2022-39822
📋 TL;DR
CVE-2022-39822 is a SQL injection vulnerability in Nokia NFM-T R19.9's VM Manager WebUI that allows authenticated attackers to execute arbitrary SQL commands via the id or host parameters. This affects organizations using the vulnerable Nokia NFM-T version for network management.
💻 Affected Systems
- Nokia NFM-T
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the NFM-T database leading to data theft, system takeover, and lateral movement to managed network devices.
Likely Case
Unauthorized data access, privilege escalation, and potential manipulation of network device configurations.
If Mitigated
Limited impact due to proper input validation and database permissions restricting damage scope.
🎯 Exploit Status
Exploitation requires authenticated access but SQL injection via GET parameters is typically straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R19.9 with security patch or later version
Vendor Advisory: https://www.gruppotim.it/it/footer/red-team.html
Restart Required: Yes
Instructions:
1. Contact Nokia support for patch 2. Apply patch following vendor instructions 3. Restart NFM-T services 4. Verify fix
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall or input validation to block SQL injection patterns
# Configure WAF rules to block SQL injection patterns in GET parameters
# Example for mod_security: SecRule ARGS_GET "@detectSQLi" "id:1001,phase:2,deny"
Access Restriction
linuxRestrict access to /cgi-bin/R19.9/easy1350.pl endpoint
# Apache: <Location "/cgi-bin/R19.9/easy1350.pl">
Order deny,allow
Deny from all
Allow from trusted_ips
</Location>
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NFM-T from untrusted networks
- Enforce principle of least privilege for NFM-T user accounts and database permissions
🔍 How to Verify
Check if Vulnerable:
Test the /cgi-bin/R19.9/easy1350.pl endpoint with SQL injection payloads in id or host parameters (authorized testing only)Check Version:
Check NFM-T version via admin interface or contact Nokia supportVerify Fix Applied:
Verify the patch version and test that SQL injection attempts no longer succeed📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL injection patterns in web logs
Network Indicators:
- HTTP GET requests to easy1350.pl with SQL keywords in parameters
- Unusual database connections from NFM-T host
SIEM Query:
source="web_logs" AND uri="/cgi-bin/R19.9/easy1350.pl" AND (param="id" OR param="host") AND (keywords="UNION" OR keywords="SELECT" OR keywords="INSERT" OR keywords="DELETE")