Executive Summary

The vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The Access and Mobility Management Function (AMF) does not enforce the concurrent security procedure rules as defined in the 3GPP TS 33.501 standard. It fails to check for ongoing N2 handover procedures before initiating a NAS Security Mode Command, and vice versa. This can cause mismatches between the Non-Access Stratum (NAS) and Access Stratum (AS) security contexts between the network and the User Equipment (UE).

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to inconsistencies in security contexts between the network and the user device, potentially weakening the security of communications. According to the CVSS score, it has a low to moderate impact with a base score of 3.7, indicating it may cause limited integrity and availability issues but does not affect confidentiality.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in free5GC version 4.2.2. To mitigate this vulnerability, you should upgrade your free5GC deployment to version 4.2.2 or later.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Free5GC's AMF involves non-compliance with the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1, which is a telecommunications security standard.

This non-compliance can lead to mismatches between NAS and AS security contexts, potentially causing integrity issues and security verification failures.

However, there is no direct information provided about how this vulnerability impacts compliance with broader common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper handling of concurrent security procedures in Free5GC's AMF during NGAP handover operations, specifically the lack of checks for ongoing NAS Security Mode Command or N2 handover procedures before initiating the other.

Detection would require monitoring the AMF behavior for concurrent NAS Security Mode Command and N2 handover procedures that violate 3GPP TS 33.501 §6.9.5.1 rules.

Since the vulnerability is related to protocol state handling within Free5GC AMF, direct detection via simple network commands is not straightforward.

No specific detection commands or tools are provided in the available resources.

A practical approach might include enabling detailed logging on the Free5GC AMF component to observe NAS Security Mode Command and N2 handover procedure states and checking for overlapping or concurrent procedures.

Network packet captures focusing on NGAP messages could be analyzed to identify if NAS Security Mode Command and N2 handover procedures are initiated concurrently without proper checks.

Useful 0 Not Useful 0