Skip to content

Fix Security Mode Command Authentication Bypass

Eduard Vladrequested to merge
smc-auth-check into develop

Hello OAI-Team,

This patch series addresses a security issue where the UE improperly accepts a Security Mode Command (SMC) without an authentication header (Security Header 0). This behavior violates TS 24.501 and enables an attacker to bypass authentication, set integrity protection to NULL (NIA0), and reconfigure the UE without proper verification.

We identified the following issues:

  1. The UE currently accepts unauthenticated SMC messages, even allowing NIA0 and EIA0 to be set outside emergency mode.
  2. When applying NIA0, the MAC field remains uninitialized, consistently containing the sequence 0xFF3F0000, making it feasible to bypass authentication and enforce insecure configurations.
  3. The UE does not properly signal security mode failures to the Core Network.

This patch series tries to address the above-mentioned issues:

  1. Reject unauthenticated SMC messages, enforcing the requirement that they must be integrity-protected.
  2. Validate MAC before applying security settings, ensuring that only authenticated messages are accepted.
  3. Tear down the security context if an integrity check fails.
  4. Introduce the Security Mode Reject message to inform the Core Network of failed SMC procedures, as required by TS 24.501.

I welcome any feedback or suggestions to further improve this patch series. Let me know if you see any areas for refinement or if additional testing is needed!

Thanks, Eduard

Signed-off-by: Eduard Vlad eduard.vlad@rwth-aachen.de

Merge request reports