-
-
Notifications
You must be signed in to change notification settings - Fork 740
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AMF processes entire plaintext initial NAS message #958
Comments
1. If UE does not use a NAS container for Non-cleartext IEs, Open5GS AMF will send Registration reject message. 2. If UE sends Non-cleartext IEs without Integrity-protected, Open5GS AMF will send Registration reject message. 3. If UE does not send NAS container in Security mode complete message, Open5GS AMF will send Registration reject message.
Today, I've updated it to the main branch. Open5GS AMF will follow the following policy to enhance security.
Let me know if you have any further questions. Thank you so much! |
Excellent ! Thank you very much for this changes : this is great to target perfectly secure NAS signaling with the AMF. |
Hi @acetcom and @alingungr, Thanks and Regards, |
Hello,
While testing the Open5GS AMF for some NAS security features introduced in the 5G specifications, I found that the AMF processes any plaintext initial NAS message entirely (all IEs in the message are processed), without further check or warning. While the AMF still requests the replay of the initial NAS message in the Security Mode Complete, it does not care in case nothing is replayed, or a different message than the initial one, what seems contradictory to the "spirit" of the 5G security specification.
You can refer to 3GPP TS 33.501 section 6.4.6 for the global overview of the feature (while it is not saying anything specific to do in case the initial NAS message is not replayed or different), and TS 24.501 section 4.4.6 for the list of IEs that are to be processed in plaintext initial NAS message.
There are 2 main risks with this:
I tested this scenario with Open5GS daemon v2.2.1, installed from the package provided. I am attaching a pcap to provide an example for this: the initial NAS message is in complete plaintext, and not replayed in the security mode complete. The AMF processes all IEs from the initial message, and accepts the security mode complete, even without any warning. I believe only "clear-text" IEs from the message should be processed in the first place, then other IEs should be processed from the replayed message which is security protected. In case this message is not provided, I believe the NAS connection should be dropped. I did not take the time to dive into the source code yet, to check the processing path of initial NAS messages, and have no patch to provide to solve the issue: sorry for this.
open5gs_nas-init-nosec.pcap.gz
Otherwise, Open5GS is performing quite well, and is a great software project enabling strong experimentation with cellular core networks. Thank you for open-sourcing and maintaining it !
The text was updated successfully, but these errors were encountered: