Can you explain this vulnerability to me?

The vulnerability exists in Ella Core, a 5G core designed for private networks, prior to version 1.10.0. It fails to enforce security rules on concurrent running of security procedures as defined in TS 33.501 §6.9.5.1. Specifically, it can send a NAS Security Mode Command while an N2 handover is still pending, or vice versa. This concurrency causes a KgNB mismatch between the User Equipment (UE) and the target gNB, which leads to handover failure.

Triggering this vulnerability requires a stalled gNB and a re-registration race condition.

The issue was fixed in version 1.10.0 of Ella Core.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause handover failures in 5G private networks using Ella Core prior to version 1.10.0. The KgNB mismatch between the UE and target gNB disrupts the handover process, potentially leading to degraded network performance or dropped connections during mobility events.

The CVSS base score of 3.7 indicates a low severity impact, with limited integrity and availability impact but no confidentiality impact.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in Ella Core version 1.10.0. Immediate mitigation involves upgrading to version 1.10.0 or later to ensure enforcement of security rules on concurrent running of security procedures.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0