As intended, the base station will tunnel this packet inside its GTP-U tunnel and send to the UPF. This results in a GTP-U in the GTP-U packet arriving at the UPF. There are now two GTP-U packets in the UPF: The outer GTP-U packet header is created by the base station to encapsulate the data packet from the user device. This outer GTP-U packet has 0xFF as its message type and a length of 44. This header is normal. The inner GTP-U header is crafted and sent by the user device as a data packet. Like the outer one, this inner GTP-U has 0xFF as message type, but a length of 0 is not normal.
按预期,基站将在其 GTP-U 隧道内将此数据包通过隧道传输并发送到 UPF。这会导致 GTP-U 数据包中的 GTP-U 到达 UPF。UPF 中现在有两个 GTP-U 数据包: 外部 GTP-U 数据包报头由基站创建,用于封装来自用户设备的数据包。此外部 GTP-U 数据包的消息类型为 0xFF,长度为 44。此标头正常。内部 GTP-U 报头由用户设备制作并作为数据包发送。与外部一样,此内部 GTP-U 具有 0xFF 作为消息类型,但长度为 0 是不正常的。
The source IP address of the inner packet belongs to the user device, while the source IP address of the outer packet belongs to the base station. Both inner and outer packets have the same destination IP address: that of the UPF.
内部报文的源IP地址属于用户设备,而外包的源IP地址属于基站。内部数据包和外部数据包具有相同的目标 IP 地址:UPF 的 IP 地址。
The UPF decapsulates the outer GTP-U and passes the functional checks. The inner GTP-U packet’s destination is again the same UPF. What happens next is implementation-specific:
UPF 解封装外部 GTP-U 并通过功能检查。内部 GTP-U 数据包的目的地同样是相同的 UPF。接下来发生的事情是特定于实现的:
- Some implementations maintain a state machine for packet traversal. Improper implementation of the state machine might result in processing this inner GTP-U packet. This packet might have passed the checks phase already since it shares the same packet-context with the outer packet. This leads to having an anomalous packet inside the system, past sanity checks.
某些实现维护用于数据包遍历的状态机。状态机的不正确实现可能会导致处理此内部 GTP-U 数据包。此数据包可能已经通过了检查阶段,因为它与外部数据包共享相同的数据包上下文。这会导致系统内部有一个异常数据包,通过健全性检查。
- Since the inner packet’s destination is the IP address of UPF itself, the packet might get sent to the UPF. In this case, the packet is likely to hit the functional checks and therefore becomes less problematic than the previous case.
由于内部数据包的目的地是 UPF 本身的 IP 地址,因此数据包可能会被发送到 UPF。在这种情况下,数据包可能会遇到功能检查,因此比前一种情况问题更少。
Attack vector 攻击媒介
Some 5G core vendors leverage Open5GS code. For example, NextEPC (4G system, rebranded as Open5GS in 2019 to add 5G, with remaining products from the old brand) has an enterprise offer for LTE/5G, which draws from Open5GS’ code. No attacks or indications of threats in the wild have been observed, but our tests indicate potential risks using the identified scenarios.
一些 5G 核心供应商利用 Open5GS 代码。例如,NextEPC(4G系统,2019年更名为Open5GS,增加了5G,其余产品来自旧品牌)为LTE/5G提供企业报价,该产品借鉴了Open5GS的代码。在野外没有观察到攻击或威胁的迹象,但我们的测试表明了使用已识别场景的潜在风险。
The importance of the attack is in the attack vector: the cellular infrastructure attacks from the UE. The exploit only requires a mobile phone (or a computer connected via a cellular dongle) and a few lines of Python code to abuse the opening and mount this class of attack. The GTP-U in GTP-U attacks is a well-known technique, and backhaul IP security and encryption do not prevent this attack. In fact, these security measures might hinder the firewall from inspecting the content.
攻击的重要性在于攻击媒介:来自UE的蜂窝基础设施攻击。该漏洞只需要一部手机(或通过蜂窝加密狗连接的计算机)和几行 Python 代码即可滥用开口并进行此类攻击。GTP-U 攻击中的 GTP-U 是一种众所周知的技术,回程 IP 安全和加密并不能阻止这种攻击。事实上,这些安全措施可能会阻碍防火墙检查内容。
Remediation and insights 修正和见解
Critical industries such as the medical and utility sectors are just some of the early adopters of private 5G systems, and its breadth and depth of popular use are only expected to grow further. Reliability for continuous, uninterrupted operations is critical for these industries as there are lives and real-world implications at stake. The foundational function of these sectors are the reason that they choose to use a private 5G system over Wi-Fi. It is imperative that private 5G systems offer unfailing connectivity as a successful attack on any 5G infrastructure could bring the entire network down.
医疗和公用事业等关键行业只是私有5G系统的早期采用者之一,其普及的广度和深度预计只会进一步增长。对于这些行业来说,连续、不间断运营的可靠性至关重要,因为这关系到生命和现实世界的影响。这些部门的基本功能是他们选择通过Wi-Fi使用专用5G系统的原因。私有 5G 系统必须提供稳定的连接,因为对任何 5G 基础设施的成功攻击都可能使整个网络瘫痪。
In this entry, the abuse of CVE-2021-45462 can result in a DoS attack. The root cause of CVE-2021-45462 (and most GTP-U-in-GTP-U attacks) is the improper error checking and error handling in the packet core. While GTP-U-in-GTP-U itself is harmless, the proper fix for the gap has to come from the packet-core vendor, and infrastructure admins must use the latest versions of the software.
在此条目中,滥用 CVE-2021-45462 可导致 DoS 攻击。CVE-2021-45462(以及大多数 GTP-U-in-GTP-U 攻击)的根本原因是数据包核心中的错误检查和错误处理不当。虽然 GTP-U-in-GTP-U 本身是无害的,但该差距的正确解决方案必须来自数据包核心供应商,并且基础设施管理员必须使用最新版本的软件。
A GTP-U-in-GTP-U attack can also be used to leak sensitive information such as the IP addresses of infrastructure nodes. GTP-U peers should therefore be prepared to handle GTP-U-in-GTP-U packets. In CT environments, they should use an intrusion prevention system (IPS) or firewalls that can understand CT protocols. Since GTP-U is not normal user traffic, especially in private 5G, security teams can prioritize and drop GTP-U-in-GTP-U traffic.
GTP-U-in-GTP-U 攻击还可用于泄露敏感信息,例如基础设施节点的 IP 地址。因此,GTP-U 对等体应准备好处理 GTP-U-in-GTP-U 数据包。在 CT 环境中,他们应使用可以理解 CT 协议的入侵防御系统 (IPS) 或防火墙。由于 GTP-U 不是正常的用户流量,尤其是在私有 5G 中,安全团队可以优先考虑并丢弃 GTP-U-in-GTP-U 流量。
As a general rule, the registration and use of SIM cards must be strictly regulated and managed. An attacker with a stolen SIM card could insert it to an attacker’s device to connect to a network for malicious deployments. Moreover, the responsibility of security might be ambiguous to some in a shared operating model, such as end-devices and the edge of the infrastructure chain owned by the enterprise. Meanwhile, the cellular infrastructure is owned by the integrator or carrier. This presents a hard task for security operation centers (SOCs) to bring relevant information together from different domains and solutions.
一般来说,SIM卡的注册和使用必须受到严格的监管和管理。拥有被盗 SIM 卡的攻击者可以将其插入攻击者的设备以连接到网络以进行恶意部署。此外,在共享运营模型中,安全责任对于某些人来说可能是模棱两可的,例如终端设备和企业拥有的基础设施链的边缘。同时,蜂窝基础设施归集成商或运营商所有。这给安全运营中心 (SOC) 带来了一项艰巨的任务,即将来自不同领域和解决方案的相关信息汇集在一起。
In addition, due to the downtime and tests required, updating critical infrastructure software regularly to keep up with vendor’s patches is not easy, nor will it ever be. Virtual patching with IPS or layered firewalls is thus strongly recommended. Fortunately, GTP-in-GTP is rarely used in real-world applications, so it might be safe to completely block all GTP-in-GTP traffic. We recommend using layered security solutions that combine IT and communications technology (CT) security and visibility. Implementing zero-trust solutions, such as Trend Micro™ Mobile Network Security, powered by CTOne, adds another security layer for enterprises and critical industries to prevent the unauthorized use of their respective private networks for a continuous and undisrupted industrial ecosystem, and by ensuring that the SIM is used only from an authorized device. Mobile Network Security also brings CT and IT security into a unified visibility and management console.
此外,由于需要停机和测试,定期更新关键基础设施软件以跟上供应商的补丁并不容易,也永远不会如此。因此,强烈建议使用 IPS 或分层防火墙进行虚拟修补。幸运的是,GTP-in-GTP 很少用于实际应用,因此完全阻止所有 GTP-in-GTP 流量可能是安全的。我们建议使用结合了 IT 和通信技术 (CT) 安全性和可见性的分层安全解决方案。实施零信任解决方案,例如由 CTOne 提供支持的 Trend Micro™ Mobile Network Security,为企业和关键行业增加了另一个安全层,以防止未经授权使用各自的专用网络,以实现连续和不中断的工业生态系统,并确保 SIM 卡仅从授权设备使用。移动网络安全还将 CT 和 IT 安全引入统一的可见性和管理控制台。
