Tech-invite3GPPspaceIETFspace
21222324252627282931323334353637384‑5x

Content for  TR 33.926  Word version:  19.1.0

Top   Top   Up   Prev   Next
1…   4…   5…   6…   A…   B…   C…   D…   E…   F…   G…   H…   I…   J…   K…   L…   M…   N…   O…   P…   Q…   R…   S…   T…   U…   V…   W…   X…   Y…
E Aspects specific to the network product class UDME.1 Network product class description for the UDME.2 Assets and threats specific to the UDME.2.1 Critical assetsE.2.2 Threats related to UDM assets
...

 

E  Aspects specific to the network product class UDM |R16|p. 46

E.1  Network product class description for the UDMp. 46

E.1.1  Introductionp. 46

This Annex covers the aspects specific to the UDM network product class.

E.1.2  Minimum set of functions defining the UDM network product classp. 46

As part of the UDM network product, it is expected that the UDM to contain UDM application, a set of running processes (typically more than one) executing the software package for the UDM functions and OAM functions that is specific to the UDM network product model. Functionalities specific to the UDM network product introduce additional threats and/or critical assets as described below. Related security requirements and test cases have been captured in TS 33.514.
Up

E.2  Assets and threats specific to the UDMp. 46

E.2.1  Critical assetsp. 46

In addition to the critical assets of a GNP described in clause 5.2 of the present document, the critical assets specific to the UDM to be protected are:
  • UDM Application;
  • User Subscription Data: e.g. subscriber's identities (e.g. SUPI), Subscription related data (e.g., Credentials, Access and Mobility Subscription data, SMF Selection Subscription data, UE context in SMF data, authentication status, etc.), etc.
  • The interfaces of UDM to be protected and which are within SECAM scope:
    • Service based interface, Nudm, for providing services to AMF, SMF, AUSF, NEF, PCF, GMLC, SMSF
    • Service based interface for consuming services from AMF, AUSF, UDR, NRF.
    • Console interface, for local access: local interface on UDM
    • OAM interface, for remote access: interface between UDM and OAM system
  • UDM Software: binary code or executable code
Up

E.2.2  Threats related to UDM assetsp. 47

E.2.2.1  Incorrect SUCI de-concealmentp. 47

  • Threat name: Incorrect SUCI de-concealment
  • Threat Category: Denial of Service
  • Threat Description: If the SUPI in the UE and the SUPI retrieved from Nudm_UEAuthentication_Get Response message are not the same, the AMF key generated based on the SUPI in the UE is also not the same as the AMF key generated in the AMF/SEAF. As a result, the subsequent NAS SMC procedure will always fail. Hence, UE will never be able to use the services provided by the serving AMF.
  • Threatened Asset: Sufficient Processing Capacity
Up

E.2.2.2  Synchronization failurep. 47

  • Threat name: Synchronization failure
  • Threat Category: Denial of Service
  • Threat Description: If the UDM cannot handle the synchronization failure case during primary authentication, the SQN value stored in the UE and that stored in the UDM will not be synchronized. Hence, the UE will not be able to successfully authenticate with the core network.
  • Threatened Asset: Sufficient Processing Capacity, User Subscription data
Up

E.2.2.3  Failure to store the authentication statusp. 47

  • Threat name: Failure to store of authentication status
  • Threat Category: Denial of Service
  • Threat Description: If the UDM does not store the authentication status of a UE, the 5G network cannot support the increased home control, which is useful in preventing certain types of fraud, e.g. fraudulent Nudm_UECM_Registration Request sending a malicious AMF for registering the malicious AMF in UDM that is not actually present in the visited network. Without the authentication status in the UDM, or if the stored authentication status is incorrect, the Nudm_UECM_Registration Request sent from malicious AMF may be accepted.
  • Threatened Asset: Sufficient Processing Capacity, User Subscription data
Up

E.2.2.4  Incorrect security enforcement configuration |R17|p. 47

  • Threat name: Incorrect security enforcement configuration
  • Threat Reference: Tampering data, Information Disclosure
  • Threat Description: In case where the UDM is configured to set and provide the User Security Policy to the SMF for TSC service, if the UP security policy is not set to "required", the gPTP message transferred from gNB to a 5GS TSC-enabled UE in the user plane may be removed, tampered or intercepted by an attacker.
Up

E.2.2.5  Incorrect UP security policy configuration for 5G LAN service |R17|p. 47

  • Threat name: Incorrect UP security policy configuration for 5G LAN service
  • Threat Reference: Tampering data, Information Disclosure
  • Threat Description: It is assumed that two UEs are belonging to one 5G LAN group. In case where the UDM is configured to set and provide User Plane Security policy to the SMF, if the UP security policies set for all the UEs belonging to a specific 5G LAN service are not consistent, e.g. the UP security policy1 for the UE1 is set to "required", and the UP security policy2 for the UE2 is set to "not needed", the 5G LAN service data transferred from gNB to UE2 may be removed, tampered or intercepted by the attacker, even if the service data transferred to the UE1 is protected. That means, the 5G LAN service data will be in the risk of being attacked with the lowest security level set in the the UP security policy.
  • Threatened Asset: User Subscription Data
Up

E.2.2.6  Use of an invalid public key in the SUCI ECIES protection scheme |R18|p. 48

  • Threat name: Use of an invalid public key in the SUCI ECIES protection scheme
  • Threat Reference: Information Disclosure
  • Threat Description: If the protection scheme output of a SUCI contains an invalid point (a point that is not is on the elliptic curve) as the UE's public key, and the UDM uses it to compute the shared secret with the HN's private key to decrypt the SUCI, an attacker can recover the HN's private key using the UDM as an oracle. This consequently undermines the security claim of the SUCI scheme and leads to user identification.
  • Threatened Asset: Private Key of the Home Network for SUCI Decryption, User Subscription Data
Up

Up   Top   ToC