Content for TR 33.926 Word version: 17.6.0

1… 4… 5… 6… A… B… C… D… E… F… G… H… I… J… K… L… M… O… P…

K.1 Network product class description for the AMF K.2 Assets and threats specific to the AMF K.2.1 Critical assets K.2.2 Threats related to AKA procedures K.2.3 Threats related to security mode command procedure K.2.4 Threats related to security in Intra-RAT mobility K.2.5 Threats related to release of non-emergency bearer K.2.6 Threats related to initial registration procedure K.2.7 Threats related to 5G-GUTI allocation K.2.8 NAS based redirection from 5GS to EPS in 5G CIoT K.2.9 Threat related to Security for 5G CIoT K.2.10 Threats related to session establishment procedure
...

K Aspects specific to the network product class AMF |R16| p. 58

K.1 Network product class description for the AMF p. 58

K.1.1 Introduction p. 58

This Annex covers the aspects specific to the AMF network product class.

K.1.2 Minimum set of functions defining the AMF network product class p. 58

As part of the AMF network product, it is expected that the AMF to contain AMF application, a set of running processes (typically more than one) executing the software package for the AMF functions and OAM functions that is specific to the AMF network product model. Functionalities specific to the AMF network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.512.

K.2 Assets and threats specific to the AMF p. 58

K.2.1 Critical assets p. 58

In addition to the critical assets of a GNP as described in clause 5.2 of the present document, the critical assets specific to the AMF to be protected are:

AMF Application;
Mobility Management data: e.g. subscriber's identities (e.g. SUCI), subscriber keys (I.e. KNASenc, KNASint, NH), authentication parameters, address of serving gNB, APN name, data related to mobility management like UE status, UE's IP address, etc., session management like PDN type, QoS and so on, or node selection and routing selection, e.g. IP address of UE related UPF, selected routing connection based on UE's identity, etc.
The interfaces of AMF to be protected and which are within SECAM scope: for example
- Service based interface, Namf, for providing services to SMF, AUSF, NEF, PCF, GMLC, SMSF, LMF and UDM
- Service based interface for consuming services from NSSF, SMF, LMF, SMSF, PCF, 5G-EIR, UDM, AUSF, and NRF
- Reference point interfaces:
  - N1.
  - N2.
  - N26.
- Console interface, for local access: local interface on AMF.
- OAM interface, for remote access: interface between AMF and OAM system.
NOTE 1:
The detailed interfaces of the AMF class are described in clause 4, Network Product Class Description of the present document.
AMF Software: binary code or executable code.

NOTE 2:
AMF files could be any file owned by a user (root user as well as non root users), including User account data and credentials, Log data, configuration data, OS files, AMF application, Mobility Management data or AMF Software.

K.2.2 Threats related to AKA procedures p. 59

K.2.2.1 Resynchronization p. 59

Threat name: Resynchronization
Threat Category: Denial of Service
Threat Description: If RAND and AUTS are not included when synchronization fails, the resynchronization procedure does not work correctly. This can result in waste of system resources and deny a legitimate user access to the system.
Threatened Asset: Sufficient Processing Capacity

K.2.2.2 Failed Integrity check of Initial Registration message p. 59

Threat name: Failed integrity check of Initial Registration message
Threat Category: Denial of Service
Threat Description: If integrity check of attach message fails, a user identity cannot be verified. This can result in waste of system resources and deny a legitimate user access to the system.
Threatened Asset: Sufficient Processing Capacity

K.2.2.3 RES* verification failure p. 59

Threat name: RES* verification failure
Threat Category: Denial of Service
Threat Description: If a malicious UE initiates a registration request using a SUCI and this request is followed by primary authentication in which an incorrect RES* is sent to the network, then the RES* verification will fail. In this case, if the RES* verification failure is not handled correctly, e.g., AMF/SEAF does not reject the registration request directly, or initiates a new authentication procedure with the UE, this would result in waste of system resources.
Threatened Asset: Sufficient Processing Capacity

K.2.3 Threats related to security mode command procedure p. 59

K.2.3.1 Bidding Down p. 59

Threat name: Bidding down
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If SMC does not include the complete initial NAS message if either requested by the AMF or the UE sent the initial NAS message unprotected, the UE can force the system to reduce the security level by using weaker security algorithms or turning security off, making the system easily attacked and/or compromised.
Threatened Asset: User account data and credentials

K.2.3.2 NAS integrity selection and use p. 60

Threat name: NAS integrity selection and use
Threat Category: Tampering of data, Information Disclosure, Denial of Service
Threat Description: If NAS does not use the highest priority algorithm, NAS layer risks being exposed and/or modified or being exposed to denial of service.
Threatened Asset: Sufficient Processing Capacity, Control plane signalling

K.2.3.3 NAS NULL integrity protection p. 60

Threat name: NAS NULL integrity protection
Threat Category: Elevation of Privilege
Threat Description: If NAS NULL integrity protection is used outside of emergency call scenarios, an attacker can initiate unauthenticated non-emergency calls.
Threatened Asset: Sufficient Processing Capacity

K.2.3.4 NAS confidentiality protection p. 60

Threat name: NAS confidentiality protection
Threat Category: Tampering of Data, Information Disclosure, Denial of Service
Threat Description: If security mode complete message is not confidentiality protected, the AMF cannot be certain that the SMC is executed correctly. This can result in waste of system resources and deny a legitimate user access to the system.
Threatened Asset: Sufficient Processing Capacity

K.2.4 Threats related to security in Intra-RAT mobility p. 60

K.2.4.1 Bidding down on Xn-Handover p. 60

Threat name: Bidding down on Xn-Handover
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If AMF cannot verify that the 5G security capabilities received from source gNB via the target gNB are the same as the UE security capabilities that the AMF has stored, the source gNB may force the system to accept a weaker security algorithm than the system is allowed forcing the system into a lowered security level making the system easily attacked and/or compromised.
Threatened Asset: User account data and credentials

K.2.4.2 NAS integrity protection algorithm selection in AMF change p. 60

Threat name: NAS integrity protection algorithm selection in AMF change
Threat Category: Tampering of Data, Information Disclosure
Threat Description: If the highest priority NAS integrity protection is not selected by the new AMF in AMF change, the new AMF could end up using a weaker algorithm forcing the system into a lowered security level making thee system easily attacked and/or compromised.
Threatened Asset: User account data and credential

K.2.5 Threats related to release of non-emergency bearer p. 61

Threat name: Release of non-emergency bearer
Threat Category: Denial of Service
Threat Description: If authentication fails in the AMF and the non-emergency bearer is not released, the UE can continue receiving unauthorized call, wasting valuable system resources.
Threatened Asset: Sufficient Processing Capacity

K.2.6 Threats related to initial registration procedure p. 61

K.2.6.1 Invalid or unacceptable UE security capabilities p. 61

Threat name: Invalid or unacceptable UE security capabilities
Threat Category: Tampering of Data, Information Disclosure
Threat Description: A flawed AMF implementation accepting insecure or invalid UE security capabilities may put User Plane and Control Plane traffic at risk, without the operator being aware of it. If NULL ciphering algorithm and/or NULL integrity protection algorithm of the UE security capabilities is accepted by the AMF, all the subsequent NAS, RRC, and UP messages will not be confidentiality and/or integrity protected. The attacker can easily intercept or tamper control plane data and the user plane data. This can result in information disclosure as well as tampering of data.
Threatened Asset: User account data and credentials, Mobility Management data

K.2.7 Threats related to 5G-GUTI allocation p. 61

K.2.7.1 Failure to allocate new 5G-GUTI p. 61

Threat name: Failure to allocate new 5G-GUTI.
Threat Category: Information Disclosure.
Threat Description: If a new 5G-GUTI is not allocated by AMF in certain registration scenarios (i.e. after receiving Registration Request message of type "initial registration", or Registration Request message of type "mobility registration update", or Service Request message sent by the UE in response to a Paging message), an attacker could keep on tracking the user using the old 5G-GUTI after these registration procedures. For a CIOT UE in idle state with suspend indication, even though the UE will not initiate Service Request after receiving a paging message, if a new 5G-GUTI is not allocated, the attacker can replay the paging message multiple times, and based on the responding messages the attacker could still be able to track the UE.
Threatened Asset: Mobility Management data.

K.2.8 NAS based redirection from 5GS to EPS in 5G CIoT |R17| p. 61

Threat name: NAS based redirection from 5GS to EPS
Threat Category: Denial of Service, Information disclosure.
Threat Description: In NAS based redirection from 5GS to EPS in 5G CIoT , when a UE initiates registration procedure with the AMF, the AMF may redirect the UE from 5GC to EPC with a Registration Reject message sent to the UE, and if the Registration Reject message with an EMM cause which indicates to the UE that the UE shall not use 5GC is not protected, the attacker can modify the cause and the UE will try to connect to the EPS. This will lead to a bidding down attack to the UE.
Threatened Asset: Sufficient Processing Capability, N1 interface, Mobility Management data.

K.2.9 Threat related to Security for 5G CIoT |R17| p. 62

K.2.9.1 Failed Verification of UE Identity during RRC Reestablishment Procedure for CP CIoT 5GS Optimization p. 62

Threat name: failed Verification of UE Identity during RRC Reestablishment Procedure for CP CIoT 5GS Optimization
Threat Category: Denial of Service.
Threat Description: If veritification of UE using CP CIoT 5GS Optimization during RRC Reestablishment procedure fails, a user identity cannot be verified. This can result in waste of system resources and deny a legitimate user access to the system. In addition, if the AMF does not correctly indicate the ng-eNB result of veritication, an unlegal UE may successfully re-establish on the ng-eNB, and result in waste of system resources.
Threatened Asset: Sufficient Processing Capacity.

K.2.10 Threats related to session establishment procedure |R17| p. 62

K.2.10.1 Incorrect validation of S-NSSAIs p. 62

Threat name: Incorrect Validation of S-NSSAIs.
Threat Category: Elevation of Privilege.
Threat Description: After the successful network slice-specific authentication and authorization, there will be an Allowed NSSAI list both in UE and AMF. Then, the UE will initiate the PDU session establishment request with the requested S-NSSAIs included. If the AMF does not verify whether the received S-NSSAIs is within the Allowed NSSAI list stored at the AMF, an attacker can still include the rejected S-NSSAIs in the request and access the slice after it fails the NSSAA procedure.
Threatened Asset: Mobility management data, sufficient processing capacity.