NGAP is the protocol for Control Plane (signaling), running on SCTP port 38412. GTP-U is the encapsulating protocol for user data, running on UDP port 2152. From the UE, the control plane signaling is handled by the baseband modem.
Users do not have access to baseband modem. The user-plane traffic (data sent from the user such as browsing and streaming) is sent to the User Plane Function (UPF) over a GTP-U tunnel. In 5G Control Plane User Plane Separation (CUPS) architecture, UPF and AMF are functionally separated: they are separate network functions with their own IP addresses. Normal users do not have the authorization to access the network infrastructure, so user data going to the Control Plane is a security risk.
We were able to establish an SCTP connection with AMF from the UE application layer. Through this SCTP connection, the anomalous NGAP payload was sent. From the 5GC side, the packet will appear as NGAP-in-GTPU. This NGAP message was delivered to the AMF and resulted in it crashing.
The most concerning weakness here is the routing of the User Plane messages. This allowed the delivery of anomalous signaling messages to the AMF. As a prerequisite of an attack, the attacker must know the AMF IP address. We were able to accomplish this using SCTP scanning through the User Plane.
Note that this test was done with a free5gc all-in-one virtual machine and not a containerized version of it. These will have different routing setups.
In our test case, the attack vector employed was user traffic from User Equipment, taking advantage of the poor separation of the control plane and the user plane.
There are two problems here:
- The ASN.1 parser was not robust
- The Control Plane and User Plane was not properly separated.
The first issue might be related to coding. ASN.1 decoders used for parsing Control Plane messages are complicated and are often vulnerable to malformed messages.
The second issue, user traffic being able to penetrate to the control plane, is an architectural problem that could lead to more problems.
When the control plane and the user plane is properly separated, malformed N1 messages could still be sent from the UE to trigger the crash. For this, the UE needs the ability to craft control messages. There are open-source solutions capable of doing this (such as srsUE).
The free5GC project is one of the most popular open-source implementations of 5G core. We know of commercial solutions based on free5GC from major packet core vendors that target the private 5G market and the telecoms industry. In fact, there are national defense agencies in Asia and Europe that get their 5G network products from one such vendor.
The CVE-2022-43677 vulnerability exploits weak CUPS implementation in free5gc to trigger a Control Plane Denial-of-Service (DoS) through user traffic. A successful DoS attack on the packet core disrupts the connectivity of the entire network. In critical sectors such as defense, policing, mining, and traffic control, disruption to connectivity lead to dire consequences. In factories that use real-time sensors for manufacturing processes, this could result in defective products being created.
Recommendations and insights
We recommend the following best practices for users of the technologies we’ve discussed in this blog entry:
- Access Control: Allow only trusted devices to connect to networks. The registration and use of SIM cards must be strictly regulated and managed.
- Clear separation of Control and Data Planes: Separation of planes in the packet core prevents data packets crossing over to the control plane.
- Open-source, with responsibility: While using open-source software to make critical infrastructure nodes, users must be able to immediately patch and prevent any defect. It is highly recommended that users thoroughly learn and understand the underlying code or if not, have dedicated support for the software they use.
- Use CT-aware DPI solutions/firewalls: It is not easy to frequently update critical infrastructure nodes, because doing so might interrupt service. Virtual patching tailored for packet-cores is strongly recommended; On N2 to detect anomalous NGAP messages; On N3 to watch out for misuse of GTP-U tunnels (NGAP in GTP-U, GTP-U in GTP-U).
We recommend using layered security solutions that combine IT and communications technology security and visibility. Implementing zero-trust solutions, such as Trend Micro™ Mobile Network Security, powered by CTOne, adds another security layer for enterprises and critical industries to prevent the unauthorized use of their respective private networks for a continuous and undisrupted industrial ecosystem, and by ensuring that the SIM is used only from an authorized device. Trend Mobile Network Security also brings CT and IT security into a unified visibility and management console.
Read More HERE