A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Network

Cyber Security Threat Summary:
5G technology has bolstered productivity in modern-day factories, allowing multiple devices to be connected simultaneously, but 5G networks are not immune to cyberattacks. In our recent joint research effort with CTOne and the Telecom Technology Center (TTC), the official advisory group to Taiwan's National Communications Commission and Ministry of Digital Affairs, Trend Micro looked into ZDI-CAN-18522, a packet reflection vulnerability in the UPF of 5G cores (5GC). The absence of any authentication mechanisms in the GTP-U protocol between base stations and the user plane of 5GC enabled us to take advantage of ZDI-CAN-18522 in 5GC UPFs and compromise 5G devices connected to internal networks.

ZDI-CAN-18522 received a CVSS score of 8.3 and allows an attacker to exploit GTP-U to attack connected 5G devices. Trend Micro tested the attack scenario against two commercial and two open-source vendors and found that all were at risk of attacks as the result of this vulnerability.

“Private enterprise 5G network deployments may have different topologies: Certain topologies leave the UPF interface exposed to the Internet, and consequently, are within reach of threat actors on external networks. By exploiting ZDI-CAN-18522, a cybercriminal could still access 5G IoT devices — even if these are protected behind firewalls, Network Address Translation (NAT), and in isolated environments — through an exposed 5GC interface” (Trend Micro, 2023).

“In 5G networks, every user device has at least one GTP tunnel to send or receive data traffic that is transferred through these tunnels between the 5GC, which is on the cloud, and a base station. The user plane of 5GC identifies GTP tunnels by way of a 32-bit tunnel endpoint identifier (TEID), which makes up part of the GTP's header; 5G user devices also have individual TEIDs for uplink and downlink. Through tunneling, the contents of a GTP packet — which is created by appending a GTP header to the original packet — can be sent unmodified across subnets. So long as its TEID is valid, a GTP packet can be sent to a to a 5G user device from anywhere: Cybercriminals could send multiple pings with different TEIDs in the GTP packet to the target IP, banking on smart guessing to match one of the TEIDs with the IP” (Trend Micro, 2023).

Trend Micro points to the lack of encryption in the GTP-U protocol as the culprit making the 5GC interface a potential entry point for threat actors. The GTP-U tunneling exposes an enterprise’s private subnets to access from external networks. This flaw is compounded by the fact that many 5GC vendors do not have built-in mechanisms to ensure UPF packets are coming from trusted sources. This is not currently a mandatory requirement of the 3rd Generation Partnership Project (3GPP) standards.

Attack Vectors:
Over the course of this research, Trend Micro identified the following attack vectors that threat actors may use to infiltrate 5G networks via this vulnerability:

Downlink
In one attack scenario, we discovered that an attack packet — one wherein a user device’s IP is set as its destination and an Internet IP as its source — can be encapsulated in a GTP packet and sent to the UPF. After looking up its TEID, the UPF decapsulates the packet and sends it to a user device. The user device then replies to the Internet IP; if the attacker has set the Internet IP to their own, this is how they could establish a two-way connection with the device

Uplink
Another kind of attack involves an attacker making a packet – this time, with a user device’s IP as the source and an Internet IP as the destination – that’s encapsulated in a GTP packet. This is sent to the UPF, which then looks up the TEID, decapsulates the inner packet, and forwards it to the Internet IP . The Internet server replies to the user device, sending it the packet through the 5G network.

Suggested Correction(s):
As manufacturing sites become more connected, so do attackers’ entry points grow more complex. Defending against emerging threats to networked factories requires a proactive and comprehensive security strategy. Shore up their defenses against security flaws like ZDI-CAN-18522 with the following defensive strategies:

    As suggested by the GSM Association (GSMA), enterprises can use Internet Protocol Security (IPsec) to protect GTP. This, or other similar secure tunneling mechanisms between base stations and the 5GC, can help deter man-on-the-side (MoTS) attacks. Enterprises can also reduce their attack surface by using an external security device capable of IP cross-checking, as this is not offered by many commercial 5GC vendors.
Link(s):
https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/plague-private-5g-networks