As intended, the base station tunnels this packet within the GTP-U tunnel and sends it to the UPF. This causes the GTP-U in the GTP-U packet to arrive at the UPF. UPF has two of his GTP-U packets. The outer GTP-U packet header is created by the base station to encapsulate data packets from the user device. This outer GTP-U packet contains 0xFF Message type is 44 and length is 44. This header is normal. The internal GTP-U header is created by the user device and sent as a data packet.The inner GTP-U as well as the outer GTP-U. 0xFF Although specified as a message type, it is not normal for the length to be 0.
The source IP address of the inner packet belongs to the user device, and the source IP address of the outer packet belongs to the base station. Both the inner and outer packets have the same destination IP address (UPF destination IP address).
UPF decapsulates the outer GTP-U and passes the functionality check. The destination of the inner GTP-U packet is also the same UPF. What happens next depends on the implementation.
- Some implementations maintain a state machine for packet traversal. Improper implementation of the state machine could result in processing of this internal GTP-U packet. This packet may have already passed the check phase because it shares the same packet context as the outer packet. This results in the presence of abnormal packets in the system that pass the sanity check.
- The packet may be sent to the UPF because the destination of the inner packet is the UPF’s own IP address. In this case, the packet is more likely to hit the feature check, so it’s less of a problem than the previous case.
attack vector
Some 5G core vendors are leveraging Open5GS code. For example, NextEPC (a 4G system, rebranded to Open5GS in 2019 to add 5G; the remaining products are from the old brand) has an enterprise offer for LTE/5G powered by Open5GS code. there is. Although no indications of an actual attack or threat have been observed, our testing uses the identified scenarios to illustrate potential risks.
The importance of the attack lies in the attack vector, i.e. the cellular infrastructure attack from the UE. This exploit requires only a mobile phone (or computer connected via a cellular dongle) and a few lines of Python code to exploit this opening to launch this type of attack. GTP-U in GTP-U attacks is a well-known technique, and backhaul IP security and encryption cannot prevent this attack. In fact, these security measures can prevent firewalls from inspecting your content.
Repair and insight
Critical industries such as healthcare and utilities are just some of the early adopters of private 5G systems, and the breadth and depth of adoption is expected to continue to grow. Continuous, uninterrupted operational reliability is critical in these industries, as human lives and real-world impacts are at stake. The basic functionality in these areas is why you choose to use a private 5G system over Wi-Fi. It is essential that private 5G systems provide reliable connectivity, as a successful attack on the 5G infrastructure can bring down the entire network.
This entry allows exploitation of CVE-2021-45462 to potentially lead to a DoS attack. The root cause of CVE-2021-45462 (and most of his GTP-U-in-GTP-U attacks) is improper error checking and error handling in the packet core. Although GTP-U-in-GTP-U itself is harmless, appropriate fixes for gaps must come from the packet core vendor, and infrastructure administrators must use the latest version of the software.
GTP-U-in-GTP-U attacks can also be used to leak sensitive information such as the IP addresses of infrastructure nodes. Therefore, GTP-U peers must be prepared to process GTP-U-in-GTP-U packets. CT environments must use an intrusion prevention system (IPS) or firewall that can understand the CT protocol. Especially in private 5G, security teams can prioritize and drop his GTP-U-in-GTP-U traffic since GTP-U is not normal user traffic.
As a general rule, SIM card registration and use must be strictly regulated and controlled. An attacker with her stolen SIM card could insert it into the attacker’s device, connect it to the network, and perform malicious deployments. Additionally, shared operating models, such as end devices or the edge of a company-owned infrastructure chain, can blur security responsibilities. Mobile phone infrastructure, on the other hand, is owned by integrators or carriers. This makes it difficult for security operations centers (SOCs) to bring together relevant information from different domains and solutions.
Additionally, due to the downtime and testing required, regularly updating critical infrastructure software to accommodate vendor patches is not and will not be easy. Therefore, virtual patching using IPS or layered firewalls is highly recommended. Fortunately, GTP-in-GTP is rarely used in real-world applications, so it may be safe to completely block all GTP-in-GTP traffic. We recommend using a multi-layered security solution that combines IT and communications technology (CT) security and visibility. Implementing a Zero Trust solution such as Trend Micro™ Mobile Network Security powered by CTOne adds another layer of security to enterprises and critical industries, ensuring each private network is secure for a continuous and uninterrupted industrial ecosystem. Unauthorized use can be prevented. SIMs are only used from authorized devices. Mobile Network Security brings CT and IT security into unified visibility and management console.
