Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.926  Word version:  17.6.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   A…   B…   C…   D…   E…   F…   G…   H…   I…   J…   K…   L…   M…   O…   P…

 

5  Generic assets and threatsp. 16

5.1  Introductionp. 16

The present subclause contains assets and threats that are believed to apply to more than one network product.

5.2  Generic critical assetsp. 16

The critical assets of GNP to be protected are:
  • User account data and credentials (e.g. passwords);
  • Log data;
  • Configuration data, e.g. GNP's IP address, ports, VPN ID, Management Objects (e.g. user group, command group) etc.
  • Operating System (OS), i.e. the files that make up the OS and its processes (code and data);
  • GNP Application;
  • Sufficient processing capacity: that processing powers are not consumed close to limits;
  • Hardware, e.g. mainframe, board, power supply unit etc.
  • The interfaces of GNP to be protected and which are within SECAM scope: for example
    • Console interface, for local access: local interface on MME
    • OAM interface, for remote access: interface between MME and OAM system
  • GNP Software: binary code or executable code
Up

5.3  Generic threatsp. 17

5.3.0  Generic threats formatp. 17

Threats are described using the following format:
  • Threat Name:
  • Threat Category:
  • Threat Description:
  • Threatened Asset:

5.3.1  Introductionp. 17

Threat analysis is an important step in the SCAS methodology in order to justify a proposed requirement and ensuring that no relevant requirements have been forgotten.
In particular, to ensure this latter point, the threat analysis needs to be free of gaps and overlapping, and it needs to be ensured that all relevant threats are covered by a requirement.
To resolve the overlapping, it is suggested to first look at the action used to exploit the threat being considered. For example if passwords are stored locally in the GNP (e.g. in a database or file system) in an insecure way (e.g. clear text, unsalted hashes), an attacker can retrieve these passwords (e.g. can retrieve the file containing them and can retrieved them by means of brute forcing if unsalted hashes are used) and later use them. So the threat related to this scenario is Information Disclosure.
To achieve this goal, the identified threats are grouped into the seven categories, one covering threats relating to 3GPP-defined interfaces and the other six ones corresponding to the categories proposed by STRIDE [http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx] and reported below:
  • Spoofing identity: An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password.
  • Tampering with data: Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet.
  • Repudiation: Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise. For example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Non-repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package.
  • Information disclosure: Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it. For example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers.
  • Denial of service: Denial of service (DoS) attacks deny service to valid users-for example, by making a Web server temporarily unavailable or unusable. You need to protect against certain types of DoS threats simply to improve system availability and reliability.
  • Elevation of privilege: In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed.
All the reported threats follow the below template:
  • Threat Name: i.e. The name of the threat
  • Threat Category: i.e. of the six STRIDE categories
  • Threat Description: i.e. description of how the threat can be exploited and eventually the impacts/ consequences of its exploitation
  • Threatened Asset: e.g. which asset is affected by the threat
Up

5.3.2  Threats relating to 3GPP-defined interfacesp. 18

The threats relating to 3GPP-defined interfaces, cf. clause 4.3.6, may have been sufficiently covered, explicitly or implicitly, in the course of the work on 3GPP security specifications. There is no need to repeat this work for the purposes of the present SCAS, and these threats and risks are therefore not considered here separately.
They may have also been addressed in contributions to 3GPP Working Group meetings.
A good source for these threats and risks is TR 33.821.
Note also that threats that relate to actions local to the NP and/or do not affect interoperability may also not have been addressed by existing 3GPP work.
When threats relating to 3GPP-defined interfaces are found that are not sufficiently covered in existing 3GPP security specifications, they need to be addressed in the present SCAS. Generic threats, e.g. threats relating to protocol robustness, that also apply to 3GPP-defined interfaces are covered in the present clause.
Up

5.3.3  Spoofing identityp. 18

5.3.3.1  Default Accountsp. 18

  • Threat name: Default Accounts
  • Threat Category: Spoofing Identity
  • Threat Description: A default account with a default password or just a user account with a default password may be provided on GNP and this password may not be modified in time. An attacker can get this password, for example, for low clearance level user, even high clearance level user from document or by brute forcing. With the default password an attacker can access to the GNP, via console (e.g. via direct connection to the GNP via serial and/or usb ports) or via network interfaces (e.g. management and maintenance), and modify, for example, the configuration and/or interference of the normal network operation.
  • Threatened Asset: User account data and credentials
Up

5.3.3.2  Weak Password Policiesp. 18

  • Threat name: Weak Password Policies
  • Threat Category: Spoofing Identity
  • Threat Description: Weak password policies (e.g. short password length, blank passwords, password age, historical passwords and password dictionary) can make a password cracking very simple (e.g. in a short time the password can be guessed by brute forcing). With these passwords an attacker can access to the GNP, via console (e.g. via direct connection to the GNP via serial and/or usb ports) or via network interfaces (e.g. management and maintenance), and modify, for example, the configuration and/or interference of the normal network operation.
  • Threatened Asset: User account data and credentials
Up

5.3.3.3  Password peekp. 19

  • Threat name: Password peek
  • Threat Category: Spoofing Identity
  • Threat Description: When password in plain text has been displayed on screen, it can be seen easily by another local observer besides operator. With these passwords an attacker can access to the GNP, via console (e.g. via direct connection to the GNP via serial and/or usb ports) or via network interfaces (e.g. management and maintenance), and modify, for example, the configuration and/or interference of the normal network operation.
  • Threatened Asset: User account data and credentials
Up

5.3.3.4  Direct Root Accessp. 19

  • Threat name: Direct Root Access
  • Threat Category: Spoofing Identity
  • Threat Description: An attacker fraudulently access directly to the root account via the network/remote connection, for example by brute forcing attack.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets

5.3.3.5  IP Spoofingp. 19

  • Threat Name: IP Spoofing
  • Threat Category: Spoofing Identity.
  • Threat Description: IP spoofing is used to gain unauthorized access to a computer. An attacker forwards packets to a computer with a source address indicating that the packet is coming from a trusted port or system.
  • Threatened Asset: GNP.

5.3.3.6  Malwarep. 19

  • Threat Name: Malware
  • Threat Category: Spoofing Identity, Denial of Service, Elevation of Privilege, Tampering, Information Disclosure
  • Threat Description: A malware can act as a legitimate user and perform malicious activities.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets

5.3.3.7  Eavesdroppingp. 19

  • Threat name: Eavesdropping
  • Threat Category: Spoofing Identity, tampering, repudiation
  • Threat Description: Eavesdropping or sniffing is an attack consisting of capturing network traffic and reading the data content in search of sensitive information like passwords, session tokens, or any kind of confidential information. So, an attacker can eavesdrop network traffic, for example, on the management/maintenance interfaces to retrieve credentials which can be used to spoof user identity. Eavesdropping can be performed, e.g. by means of MITM attacks. This type of attacks may be possible, for example, if weak cryptographic protocols or non-industry standard cryptographic algorithms are used or if the communication protocols have been implemented incorrectly.
  • Threatened Asset: User account data and credentials
Up

5.3.4  Tamperingp. 20

5.3.4.1  Software Tamperingp. 20

  • Threat Name: Software Tampering
  • Threat Category: Tampering
  • Threat Description: Software packages can be tampered/altered during their installation/upgrade on the GNP. An attacker, for example, can inject malicious code, altering their legitimate behaviour. After their installation or upgrade process, the malicious code can be executed to conduct several attacks (e.g. DoS, Information Stealing, Frauds and so on).
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, including hardware assets.
Up

5.3.4.2  Ownership File Misusep. 20

  • Threat Name: Ownership File Misuse
  • Threat Category: Tampering
  • Threat Description: If files owned by an user (root user as well as not root users) can be altered improperly and illegitimately by an user different than the owner, then an attacker can conduct several types of attacks (e.g. DoS, Information Stealing, and so on)
  • Threatened Asset: GNP files.

5.3.4.3  External Device Bootp. 20

  • Threat name: External Device Boot
  • Threat Category: Tampering
  • Threat Description: If GNP operating system can be booted not only from internal memory but also from another source (e.g. USB flash drive, memory card), the GNP bootloader may maliciously be tampered by an attacker. This does not necessarily mean that booting from external memories constitutes a threat.
  • Threatened Asset: hardware, operating system
Up

5.3.4.4  Log Tamperingp. 20

  • Threat name: Log Tampering
  • Threat Category: Tampering, Repudiation
  • Threat Description: if GNP does not securely store log files, an attacker, for example can inject, delete or otherwise tamper with the contents of the logs typically for the purposes of masking other malicious behavior.
  • Threatened Asset: Log file

5.3.4.5  OAM Traffic Tamperingp. 20

  • Threat name: OAM Traffic Tampering
  • Threat Category: Tampering
  • Threat Description: Usage of weak cryptographic algorithms for transmitted sensitive information/data over OAM interface can expose them to be maliciously tampered. For example an attacker can gain access to the management /maintenance interfaces and can modify the data stream to/from the GNP.
  • Threatened Asset: sensitive data transferred over OAM
Up

5.3.4.6  File Write Permissions Abusep. 21

  • Threat name: File/Directory Write Permissions Misuse
  • Threat Category: Tampering
  • Threat Description: File write permissions which are far too liberal are potentially vulnerable and can be abused by an attacker to cause DoS. For example file passwords permissions with write permissions too liberal can be altered by an unauthorized user which can change the administration password, causing the impossibility for the administrator to log on the GNP.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets.
Up

5.3.4.7  User Session Tampering |R15|p. 21

  • Threat name: User Session Tampering
  • Threat Category: Tampering
  • Threat Description: Usage of insufficiently random values used to identify an user session (e.g. sessionID for web sessions) can be exploited by an attacker to tamper this user session by predicting/guessing these identifiers.
  • Threatened Asset: User Sessions

5.3.5  Repudiationp. 21

5.3.5.1  Lack of User Activity Tracep. 21

  • Threat Name: Lack of User Activity Trace
  • Threat Category: Repudiation
  • Threat Description: A system user, including a possible attacker, can maliciously or erroneously access and modify data in the GNP system, with no or lesser possibility of the actions later being traceable to his/her user identity. One scenario of anonymity is when the user is logged on to a system group account.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets
Up

5.3.6  Information disclosurep. 21

5.3.6.1  Poor key generationp. 21

  • Threat Name: Poor key generation
  • Threat Category: Information Disclosure
  • Threat Description: A poor key generation may help an attacker to discover and disclose the key and then read or modify the encrypted data. Attackers can discover a key, for example, if:
    • It was generated in a non-random fashion (e.g. insecure random generator).
    • It was generated starting from a passphrase containing low entropy.
    • The generated key length is too short so the time to retrieve the key by means of dictionary attacks is short.
  • Threatened Asset: all critical asset in the GNP as listed in clause 5.2 except hardware assets.
Up

5.3.6.2  Poor key managementp. 22

  • Threat Name: Poor key management
  • Threat Category: Information Disclosure
  • Threat Description: A poor key management may help an attacker to discover the key and then read or modify the encrypted data. Attackers can discover the keys if, for example:
    • Weak key management protocols are used;
    • The keys are stored in an unencrypted file accessible by everyone;
    • The keys are not renewed/updated regularly;
    • The keys which are text strings can be found by looking for all strings in the system;
    • The keys can be found in memory image of running processes;
    • RAM does not loose contents immediately after power-down;
    • RAM can be investigated for keys;
    • The keys are not safely destroyed after their use.
  • Threatened Asset: all critical asset in the GNP as listed in clause 5.2 except hardware assets.
Up

5.3.6.3  Weak cryptographic algorithmsp. 22

  • Threat Name: Use of weak cryptographic algorithms
  • Threat Category: Information Disclosure
  • Threat Description: Usage of weak cryptographic algorithms for stored or transmitted sensitive information/data can expose them to be disclosed and eventually tampered.
  • Threatened Asset: all critical asset in the GNP as listed in clause 5.2 except hardware assets.
Up

5.3.6.4  Insecure Data Storagep. 22

  • Threat name: Insecure Data Storage
  • Threat Category: Information Disclosure
  • Threat Description: GNP stores locally sensitive data (e.g. communication keys (i.e. KNASenc, KNASint, KeNB), passwords). An attacker can retrieve these data if they have been stored in an insecure way (e.g. clear text, unsalted hashes).
  • Threatened Asset: Any sensitive data stored locally to the GNP
Up

5.3.6.5  System Fingerprintingp. 22

  • Threat Name: System Fingerprinting
  • Threat Category: Information Disclosure
  • Threat Description: The GNP could potentially disclose information about account details, operating system version and/or other software versions, server names and so on. That can be used by an attacker to perform other attacks.
  • Threatened Asset: all critical asset in the GNP as listed in clause 5.2 except hardware assets.
Up

5.3.6.6  Malwarep. 22

  • Threat Name: Malware.
  • Threat Category: Information Disclosure.
  • Threat Description: A malware installed on GNP can access to all the sensitive data stored locally to the GNP (e.g. accounts, keys, and user data).
  • Threatened Asset: all critical asset in the GNP as listed in clause 5.2 except hardware assets.

5.3.6.7  Personal Identification Information Violationp. 23

  • Threat Name: Personal Identification Information Violation.
  • Threat Category: Information Disclosure.
  • Threat Description: Data containing identities of mobile network subscribers are critical for user privacy. Leakage of these user's identities can lead to loss of privacy, e.g. tracing of a user. Protection of user's identities is also a requirement from regulators.
  • Threatened Asset: Mobility Management data (e.g. user identities).
Up

5.3.6.8  Insecure Default Configurationp. 23

  • Threat Name: Insecure Default Configuration
  • Threat Category: Information Disclosure
  • Threat Description: An attacker could exploit an insecure default GNP configuration and access to sensitive information/data available on the GNP. For example a default GNP can use NULL integrity not only for unauthenticated emergency calls. This can compromise the integrity of RRC signalling and make possible Man in the Middle attacks in the AS domain and interception, for example, of user communications.
  • Threatened Asset: GNP configuration data and mobility management data.
Up

5.3.6.9  File/Directory Read Permissions Misusep. 23

  • Threat name: File/Directory Read Permissions Misuse
  • Threat Category: Information Disclosure, elevation of privilege, DoS, tampering
  • Threat Description: File and directory read permissions which are far too liberal can allow access to the contained data by illegitimate users (e.g. password files with too liberal file permissions can be accessed by unauthorized users).
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets
Up

5.3.6.10  Insecure Network Servicesp. 23

  • Threat name: Insecure Network Services
  • Threat Category: Information Disclosure
  • Threat Description: The GNP can expose insecure/vulnerable services/open ports which can be exploited by an attacker to gain sensitive information/data. For example the GNP can be configured to return sensitive information using telnet on a custom port without any authentication mechanism being configured.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets
Up

5.3.6.11  Unnecessary Servicesp. 23

  • Threat name: Unnecessary Services
  • Threat Category: Information Disclosure
  • Threat Description: The GNP can expose unnecessary services which can be exploited (even if not vulnerable) by an attacker to gain sensitive information/data. The term unnecessary used in this threat refers to three cases:
    • Network service not strictly related to GNP operation (e.g. Splunk Service)
    • Network service available on unexpected interfaces (e.g. SSH enabled on the interface interconnecting GNP and Remote Management)
    • Service that does not enable a network service but that runs on the GNP and is not necessary by GNP normal operation (e.g. fprint service available in the default fedora distribution or Xinetd services).
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets
Up

5.3.6.12  Log Disclosurep. 24

  • Threat name: Log Disclosure
  • Threat Category: Information Disclosure
  • Threat Description: When operational activities are recorded by GNP, these operation records are called system logs. There are other logs, e.g. operation log, security log. These logs can contain sensitive information/data (e.g. system data, user data, CDR, or also debugging information) which can be accessed by an attacker to gather information about the system and to perform other attacks towards users or the system itself.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets
Up

5.3.6.13  Unnecessary Applicationsp. 24

  • Threat name: Unnecessary Applications
  • Threat Category: Information Disclosure
  • Threat Description: There are applications (i.e. features and functionalities) in the GNP which can be related to personal privacy (e.g. LCS application). Even if an operator does not deploy these features and functionalities, they can be available in the system as part of a software distribution. Consequently there might be the risk that an attacker enables these applications without authorization (e.g. despite of what is included in the license issued by the vendor). For example, the attacker may enable a feature such as LCS and get the location information of a user.
  • Threatened Asset: personal privacy related features, functions and applications, e.g. LCS.
Up

5.3.6.14  Eavesdroppingp. 24

  • Threat name: Eavesdropping
  • Threat Category: Information Disclosure
  • Threat Description: An attacker can eavesdrop network traffic, for example, on the management/maintenance interfaces. This may be possible if weak cryptographic protocols or non-industry standard cryptographic algorithms are used or if the communication protocols are implemented incorrectly. Eavesdropping can be performed, for example, by means of MITM attacks, Arp Poisoning, ICMP Redirect and so on.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2
Up

5.3.6.15  Security threat caused by lack of GNP traffic isolationp. 24

  • Threat name: Security threat caused by lack of GNP traffic isolation
  • Threat Category: Information disclosure
  • Threat Description: The attack towards signalling traffic can also impact the management traffic and vice versa when these traffics are not isolated. For example, an attacker wants to obtain important information related to signalling, he can intercept and capture signalling traffic on GNP's interface. The important information related management may also be intercepted and captured if the management traffics and signalling traffics are not isolated and use the same physical interface. So the security threats for signalling traffic can impact management traffic and result in unauthorized access on GNP. In the same way, an attacker who attacks GNP's management traffics can obtain important information related signalling, resulting in tampering and privacy leakage of signalling.
  • Threatened Asset: all critical data transferred via the GNP as listed in clause 5.2
Up

5.3.7  Denial of servicep. 25

5.3.7.1  Compromised/Misbehaving User Equipmentsp. 25

  • Threat Name: Compromised/Misbehaving User Equipments
  • Threat Category: DoS
  • Threat Description: A large number of compromised or misbehaving user equipments (UE) can cause a fault on the GNP with a consequent denial of service. For example, an attacker can control a huge number of UEs and can send a lot of contemporary attach/detach requests to the GNP without following the normal protocol flow. The resources on the GNP (e.g. processing resources or radio resources) can be exhausted and the GNP becomes unable to process other, valid NAS signalling requests.
  • Threatened Asset: GNP resources (e.g. system processing capacity (e.g. CPU, memory), network links, radio links and so on).
Up

5.3.7.2  Implementation Flawp. 25

  • Threat Name: Implementation Flaw.
  • Threat Category: DoS.
  • Threat Description: An attacker can exploit an implementation flaw in one of the protocols supported by a GNP or in one application available on the GNP and cause a DoS.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets.

5.3.7.3  Insecure Network Servicesp. 25

  • Threat name: Insecure Network Services.
  • Threat Category: DoS.
  • Threat Description: The GNP can expose insecure/vulnerable services/open ports which can be exploited by an attacker to crash the GNP.
  • Threatened Asset: GNP services.

5.3.7.4  Human Errorp. 25

  • Threat name: Human Error
  • Threat Category: Denial of service
  • Threat Description: The general threat of human error in operation and maintenance. This can include network-, network element-, and firewall configuration-settings. It can also include the risk of user accounts being forgotten during change or deletion, or other slips in their handlings. Causes can be maintenance workload, fatigue, inexperience, etc., and may arise irrespective of applied policy. This threat, for network operation, is hard to categorize within the STRIDE approach, but with Denial of service being one important threat category.
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets.
Up

5.3.8  Elevation of privilegep. 26

5.3.8.1  Misuse by authorized usersp. 26

  • Threat Name: misuse by authorized users
  • Threat Category: Elevation of Privilege
  • Threat Description: A malicious employee or his/her co-worker misuses the network access and management authorization to attempts to upgrade his/her account to, for example, administrative privileges or to gain access to password files within the system.
  • Threatened Asset: The network access and management authorization.
Up

5.3.8.2  Over-Privileged Processes/Servicesp. 26

  • Threat Name: Over-Privileged Processes/Services.
  • Threat Category: Elevation of Privilege.
  • Threat Description: GNP processes/services running with higher privileges than needed, (i.e. root or Administrator) can allow an attacker to obtain elevated privileges as well. An attacker can for example try to leverage a bug in the running program and execute arbitrary code with elevated privileges.
  • Threatened Asset: Over-Privileged Processes/Services.
Up

5.3.8.3  Folder Write Permission Abusep. 26

  • Threat Name: Folder Write Permission Abuse
  • Threat Category: Elevation of Privilege
  • Threat Description: weaknesses in folder permissions can lead to elevation of privilege. A root user by mistake can accidentally execute malicious files placed into a directory by attackers which have sufficient write permissions. The same applies for other directories where users other than root have write permission. Any account that has folder permission on a directory has equivalent access to the executable file within that directory. These permissions allow a non-administrator to replace directories containing executable files with new directories containing new executable files or simply to delete directories and the executable files they contain.
  • Threatened Asset: System folders with weak write permission.
Up

5.3.8.4  Root-Owned File Write Permission Abusep. 26

  • Threat Name: Root-Owned File Write Permission Abuse.
  • Threat Category: Elevation of Privilege.
  • Threat Description: Failure to protect root-owned executables files from write access by non-administrators exposes them to the possibility of being compromised. For example, this means that non-administrator users can replace or alter the file's contents and that unknown or malicious injected code can then be executed inadvertently by root.
  • Threatened Asset: Root-Owned Files with weak write permission.
Up

5.3.8.5  High-Privileged Filesp. 26

  • Threat name: High-privileged files.
  • Threat Category: Elevation of Privilege, DoS, tampering.
  • Threat Description: If files can be run with higher privileges that what the owner normally has, i.e. with temporarily elevated rights, it can be dangerous to system.
  • Threatened Asset: High privileged files.

5.3.8.6  Insecure Network Servicesp. 27

  • Threat name: Insecure Network Services.
  • Threat Category: Elevation of Privilege.
  • Threat Description: The GNP can expose insecure/vulnerable services/open ports which can be exploited by an attacker to gain unauthorized access, for example using telnet on a custom port without any authentication mechanism configured.
  • Threatened Asset: Insecure network services/ports.

5.3.8.7  Elevation of Privilege via Unnecessary Network Servicesp. 27

  • Threat name: Unnecessary Network Services
  • Threat category: Elevation of Privilege, Denial of Service
  • Threat Description: The GNP can expose unnecessary services/open ports which can be exploited by an attacker to gain unauthorized access thus leading to elevation of privilege. The term unnecessary used in this threat refers to two cases:
    • Network services not strictly related to GNP operation (e.g. Splunk Service)
    • Network service available on unexpected interfaces (eg. SSH enabled on the interface interconnecting GNP and Remote Management)
  • Threatened Asset: all critical assets of GNP as listed in clause 5.2, except hardware assets.
Up

Up   Top   ToC