NGAP is a control plane (signaling) protocol that runs on SCTP port 38412. GTP-U is a user data encapsulation protocol that runs on UDP port 2152. Control plane signaling from the UE is handled by the baseband modem.
Users do not have access to baseband modems. User plane traffic (data sent by users, such as browsing and streaming) is sent to the User Plane Function (UPF) via a GTP-U tunnel. In the 5G Control Plane User Plane Separation (CUPS) architecture, UPF and AMF are functionally separated. These are separate network functions with their own IP addresses. User data sent to the control plane is a security risk because regular users do not have permission to access the network infrastructure.
I was able to establish an SCTP connection with AMF from the UE application layer. An abnormal NGAP payload was sent over this SCTP connection. From the 5GC side, the packet appears as NGAP-in-GTPU. This NGAP message was delivered to AMF and caused a crash.
The most concerning weakness here is the routing of user plane messages. This could result in anomalous signaling messages being delivered to AMF. A prerequisite for the attack is that the attacker must know her AMF IP address. This was achieved using her SCTP scan over the user plane.
Please note that this test was performed using the free5gc all-in-one virtual machine, not the containerized version. These have different routing settings.
In our test case, we exploited the lack of separation between the control plane and the user plane and used user traffic from user equipment as an attack vector.
There are two problems here.
- ASN.1 parser was not robust
- Control plane and user plane were not properly separated.
The first problem may be related to coding. ASN.1 decoders used to parse control plane messages are complex and often vulnerable to malformed messages.
The second issue is an architectural issue that allows user traffic to infiltrate the control plane, which can cause further problems.
Even if the control plane and user plane are properly separated, malformed N1 messages can be sent by the UE and cause a crash. For this purpose, the UE requires the ability to create control messages. There are open source solutions (such as srsUE) that can do this.
The free5GC project is one of the most popular open source implementations of 5G cores. We are aware of commercial solutions based on free5GC from major packet core vendors targeting the private 5G market and the telecom industry. In fact, there are defense agencies in Asia and Europe that are acquiring 5G network products from such vendors.
CVE-2022-43677 The vulnerability exploits a weak CUPS implementation in free5gc to trigger a control plane denial of service (DoS) through user traffic. A successful DoS attack on the packet core disrupts connectivity for the entire network. In critical sectors such as defence, police, mining and traffic control, connectivity disruptions have dire consequences. For factories that use real-time sensors in their manufacturing processes, this can result in defective products.
Recommendations and insights
We recommend the following best practices for users of the technologies described in this blog entry:
- access control: Ensures that only trusted devices can connect to your network. SIM card registration and use must be strictly regulated and controlled.
- Clear separation of control plane and data plane: Plane separation within the packet core prevents data packets from being passed to the control plane.
- open source, responsible: When using open source software to create critical infrastructure nodes, users must be able to immediately apply patches to prevent defects. We strongly recommend that users thoroughly study and understand the underlying code or, if not, obtain dedicated support for the software they use.
- Use a CT-enabled DPI solution/firewall: Frequently updating critical infrastructure nodes is not trivial as it can lead to service interruptions. Virtual patching tailored to the packet core is highly recommended. Detects abnormal NGAP messages on N2. In N3, beware of exploiting GTP-U tunnels (NGAP within GTP-U, GTP-U within GTP-U).
We recommend using a multi-layered security solution that combines security and visibility of IT and communication technologies. Implementing a Zero Trust solution such as Trend Micro™ Mobile Network Security powered by CTOne adds another layer of security to enterprises and critical industries, ensuring each private network is secure for a continuous and uninterrupted industrial ecosystem. Unauthorized use can be prevented. SIMs are only used from authorized devices. Trend Mobile Network Security also brings CT and IT security into a unified visibility and management console.
