search

srsran / srsRAN_4G

Open source SDR 4G software suite from Software Radio Systems (SRS) https://docs.srsran.com/projects/4g
https://www.srsran.com
GNU Affero General Public License v3.0
3.48k stars 1.14k forks source link

srsEPC does not calculate HASH_MME in pack_security_mode_command() #724

Open yaoyepeng opened 3 years ago

yaoyepeng commented 3 years ago

Issue Description

srsEPC does not calculate HASHMME in pack_security_mode_command().

According to 3GPP TS 33.401 V14.2.0[1, Section: 7.2.4.4 NAS security mode command procedure], in the case of sending a NAS Security Mode Command during an Attach or TAU procedure, the MME shall calculate a HASHMME of the entire plain Request message and include the HASHMME in the NAS security mode command message.

These unprotected Attach and TAU Requests messages will lead to bidding down attacks.

In a man-in-the-middle attack, the attacker removes the UE’s voice calling capabilities from these unprotected messages and adds “Additional update type -SMS only” before forwarding them to the network.

[1]https://www.etsi.org/deliver/etsi_ts/133400_133499/133401/14.02.00_60/ts_133401v140200p.pdf

andrepuschmann commented 3 years ago

Thanks for reporting the issue. We'll see when we have the bandwidth to fix this. Meanwhile, PRs are welcome ;-)