AMF processes entire plaintext initial NAS message

[p1-bmu]

Hello,

While testing the Open5GS AMF for some NAS security features introduced in the 5G specifications, I found that the AMF processes any plaintext initial NAS message entirely (all IEs in the message are processed), without further check or warning. While the AMF still requests the replay of the initial NAS message in the Security Mode Complete, it does not care in case nothing is replayed, or a different message than the initial one, what seems contradictory to the "spirit" of the 5G security specification.

You can refer to 3GPP TS 33.501 section 6.4.6 for the global overview of the feature (while it is not saying anything specific to do in case the initial NAS message is not replayed or different), and TS 24.501 section 4.4.6 for the list of IEs that are to be processed in plaintext initial NAS message.

There are 2 main risks with this:

• The early processing of all IEs in the AMF, and missing check against the replayed message, could potentially enable some man-in-the-middle attack at the radio interface, where some cellular capabilities of a targeted subscriber are downgraded by the attacker.
• Processing all IEs, before subscriber's authentication has happened, may expose the AMF more than needed ; e.g. I could reach many assertions, and a memory corruption in the AMF demon, with malformed IEs in initial NAS messages.

I tested this scenario with Open5GS daemon v2.2.1, installed from the package provided. I am attaching a pcap to provide an example for this: the initial NAS message is in complete plaintext, and not replayed in the security mode complete. The AMF processes all IEs from the initial message, and accepts the security mode complete, even without any warning. I believe only "clear-text" IEs from the message should be processed in the first place, then other IEs should be processed from the replayed message which is security protected. In case this message is not provided, I believe the NAS connection should be dropped. I did not take the time to dive into the source code yet, to check the processing path of initial NAS messages, and have no patch to provide to solve the issue: sorry for this.

open5gs_nas-init-nosec.pcap.gz

Otherwise, Open5GS is performing quite well, and is a great software project enabling strong experimentation with cellular core networks. Thank you for open-sourcing and maintaining it !

[acetcom]

@p1-bmu

Today, I've updated it to the main branch. Open5GS AMF will follow the following policy to enhance security.

1. If UE does not use a NAS container for Non-cleartext IEs, Open5GS AMF will send Registration reject message.
2. If UE sends Non-cleartext IEs without Integrity-protected, Open5GS AMF will send Registration reject message.
3. If UE does not send NAS container in Security mode complete message, Open5GS AMF will send Registration reject message.

Let me know if you have any further questions.

Thank you so much!
Sukchan

[p1-bmu]

Excellent ! Thank you very much for this changes : this is great to target perfectly secure NAS signaling with the AMF.

[Siddharthlende]

Hi @acetcom and @alingungr,
Hope you are doing good..!
After pulling main branch also i am unable to register my UE with core i am getting PLMN_NOT_ALLOWED error, cross checked with all the config files in AMF, UE and GnB side (Especially plmnid) plmnid is same in all AMF,UE and GnB config files.
Please find below screenshot and please lemme how to register my UE with core.

Thanks and Regards,
Siddharth.