Content for TR 33.926 Word version: 17.6.0

1… 4… 5… 6… A… B… C… D… E… F… G… H… I… J… K… L… M… O… P…

I.1 Network product class description for the NEF I.2 Assets and threats specific to the NEF I.2.1 Critical assets I.2.2 Threats related to NEF assets
...

I Aspects specific to the network product class NEF |R16| p. 54

I.1 Network product class description for the NEF p. 54

I.1.1 Introduction p. 54

This annex captures the aspects specific to network product class NEF.

I.1.2 Minimum set of functions defining the NEF network product class p. 54

As part of the NEF network product, it is expected that the NEF to contain NEF application, a set of running processes (typically more than one) executing the software package for the NEF functions and OAM functions that are specific to the NEF network product model. Functionalities specific to the NEF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.519.

I.2 Assets and threats specific to the NEF p. 54

I.2.1 Critical assets p. 54

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the NEF to be protected are:

NEF Application;
NF and User Data: e.g. NF capabilities and events, network and user sensitive information (e.g. DNN, S-NSSAI, etc.), structured data retrieved from UDR, 5G LAN group information, NWDAF analytics, etc.
The interfaces of NEF to be protected and which are within SECAM scope:
- Service based interface, Nnef, for providing services to SMF, and AF
- Service based interface for consuming services from AMF, UDM, PCF, SMF, UDR, Binding Support Function, NRF
- Console interface, for local access: local interface on NEF
- OAM interface, for remote access: interface between NEF and OAM system
NOTE 1:
The detailed interfaces of the NEF class are described in clause 4, Network Product Class Description of the present document.
NEF Software: binary code or executable code

NOTE 2:
NEF files may be any file owned by a user (root user as well as non-root uses), including User account data and credentials, Log data, configuration data, OS files, NEF application, NF and User data, or NEF Software.

I.2.2 Threats related to NEF assets p. 55

I.2.2.1 No authentication on application function p. 55

Threat name: No Authentication on application function
Threat Category: Information Disclosure, tampering
Threat Description: If the authentication of the Application Function is not supported, the application function without a legal certificates, or pre-shared key could be able to establish a TLS connection with the NEF. The data stored in the NEF may be exposed to an attacker.
Threatened Asset: NF and User Data

I.2.2.2 No authorization on northbound APIs p. 55

Threat name: No Authorization on northbound APIs
Threat Category: Elevation of Privilege, Information Disclosure
Threat Description: A malicious AF without OAuth-based authorization or with an incorrect access token may invoke the NEF services arbitrarily. For example, an attacker may invoke the Nnef_EventExposure_Subscribe service provide by the NEF without authorization. The Event data related with this subscribe will be leaked to the attacker.
Threatened Asset: Sufficient Processing Capacity, NF and User Data