Executive Summary

This vulnerability affects Ella Core, a 5G core designed for private networks. Before version 1.10.0, a radio device with a valid NG Setup could send a forged PDUSessionResourceSetupResponse message that includes any UE's AMF-UE-NGAP-ID. Ella Core does not verify whether this message actually arrived on the SCTP association linked to that UE's logical NG-connection. As a result, the system creates a GTP tunnel towards the radio based on the forged message.

This flaw allows an attacker to impersonate or interfere with other user equipment sessions by exploiting the lack of verification in message origin and association.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized creation of GTP tunnels towards radios, potentially allowing attackers to interfere with or hijack user equipment sessions within the 5G private network.

This can result in denial of service (as indicated by the CVSS score's high impact on availability), and limited confidentiality impact, meaning some data exposure or session disruption could occur.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Ella Core to version 1.10.0 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to redirect downlink user-plane traffic of a UE to a malicious radio by exploiting improper verification of message origin. While the primary impact is on availability, there is also a secondary impact on confidentiality due to potential unauthorized access to user data.

Such unauthorized redirection and potential interception of user data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require ensuring confidentiality and integrity of personal and sensitive data. The failure to properly authorize and verify message sources represents a security control weakness that may violate these standards' requirements for protecting user information.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves a malicious radio sending a forged PDUSessionResourceSetupResponse message with any UE's AMF-UE-NGAP-ID over an SCTP association. Detection would involve monitoring SCTP associations and NGAP messages for anomalies, such as PDUSessionResourceSetupResponse messages arriving on unexpected SCTP associations or from radios that do not correspond to the UE's logical NG-connection.

Commands to detect this could include capturing and inspecting SCTP traffic and NGAP messages using network analysis tools like tshark or tcpdump. For example, you could use tshark to filter SCTP packets and analyze NGAP message contents to verify the source SCTP association matches the UE context.

• tshark -i <interface> -Y "sctp && ngap" -V
• tcpdump -i <interface> -w capture.pcap sctp

After capturing, analyze the NGAP PDUSessionResourceSetupResponse messages to check if the AMF-UE-NGAP-ID matches the SCTP association from which the message was received. Any mismatch could indicate exploitation attempts.

Useful 0 Not Useful 0