1、 ETSI TR 133 926 V14.0.0 (2017-04) LTE; Security Assurance Specification (SCAS) threats and critical assets in 3GPP network product classes (3GPP TR 33.926 version 14.0.0 Release 14) TECHNICAL REPORT ETSI ETSI TR 133 926 V14.0.0 (2017-04)13GPP TR 33.926 version 14.0.0 Release 14Reference RTR/TSGS-03
2、33926ve00 Keywords LTE,SECURITY ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present doc
3、ument can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In c
4、ase of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the docu
5、ment may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/p
6、ortal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be mod
7、ified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2017. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit
8、 of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. oneM2M logo is protected for the benefit of its Members GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 133 926 V1
9、4.0.0 (2017-04)23GPP TR 33.926 version 14.0.0 Release 14Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and
10、 can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the
11、ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Forew
12、ord This Technical Report (TR) has been produced by ETSI 3rd Generation Partnership Project (3GPP). The present document may refer to technical specifications or reports using their 3GPP identities, UMTS identities or GSM identities. These should be interpreted as being references to the correspondi
13、ng ETSI deliverables. The cross reference between GSM, UMTS, 3GPP and ETSI identities can be found under http:/webapp.etsi.org/key/queryform.asp. Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as
14、 described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI TR 133 926 V14.0.0 (2017-04)33GPP TR 33.926 version 14.0.0 Release 14Contents Intellectual Pr
15、operty Rights 2g3Foreword . 2g3Modal verbs terminology 2g3Foreword . 5g31 Scope 6g32 References 6g33 Definitions and abbreviations . 6g33.1 Definitions 6g33.2 Abbreviations . 6g34 Generic Network Product (GNP) class description 7g34.1 Overview 7g34.2 Minimum set of functions defining the GNP class .
16、 8g34.3 Generic network product model . 8g34.3.1 Generic network product model overview 8g34.3.2 Functions defined by 3GPP 8g34.3.3 Other functions . 8g34.3.4 Operating System (OS) . 8g34.3.5 Hardware 8g34.3.6 Interfaces. 9g34.4 Scope of the present document . 9g34.4.1 Introduction. 9g34.4.2 Scope r
17、egarding GNP functions defined by 3GPP . 10g34.4.3 Scope regarding other functions . 10g34.4.4 Scope regarding Operating System (OS) 10g34.4.5 Scope regarding hardware 10g34.4.6 Scope regarding interfaces 10g35 Generic Assets and Threats 10g35.1 Introduction 10g35.2 Generic critical assets . 10g35.3
18、 Generic threats 11g35.3.0 Generic threats format . 11g35.3.1 Introduction. 11g35.3.2 Threats relating to 3GPP-defined interfaces . 12g35.3.3 Spoofing identity 12g35.3.3.1 Default Accounts . 12g35.3.3.2 Weak Password Policies . 12g35.3.3.3 Password peek . 13g35.3.3.4 Direct Root Access 13g35.3.3.5 I
19、P Spoofing . 13g35.3.3.6 Malware 13g35.3.3.7 Eavesdropping . 13g35.3.4 Tampering . 14g35.3.4.1 Software Tampering 14g35.3.4.2 Ownership File Misuse . 14g35.3.4.3 External Device Boot 14g35.3.4.4 Log Tampering 14g35.3.4.5 OAM Traffic Tampering . 14g35.3.4.6 File Write Permissions Abuse . 15g35.3.5 Re
20、pudiation . 15g35.3.5.1 Lack of User Activity Trace 15g35.3.6 Information disclosure 15g35.3.6.1 Poor key generation. 15g35.3.6.2 Poor key management . 15g3ETSI ETSI TR 133 926 V14.0.0 (2017-04)43GPP TR 33.926 version 14.0.0 Release 145.3.6.3 Weak cryptographic algorithms 16g35.3.6.4 Insecure Data S
21、torage . 16g35.3.6.5 System Fingerprinting . 16g35.3.6.6 Malware 16g35.3.6.7 Personal Identification Information Violation. 17g35.3.6.8 Insecure Default Configuration . 17g35.3.6.9 File/Directory Read Permissions Misuse 17g35.3.6.10 Insecure Network Services 17g35.3.6.11 Unnecessary Services 17g35.3
22、.6.12 Log Disclosure 18g35.3.6.13 Unnecessary Applications . 18g35.3.6.14 Eavesdropping . 18g35.3.6.15 Security threat caused by lack of GNP traffic isolation 18g35.3.7 Denial of service . 19g35.3.7.1 Compromised/Misbehaving User Equipments 19g35.3.7.2 Implementation Flaw 19g35.3.7.3 Insecure Networ
23、k Services 19g35.3.7.4 Human Error . 19g35.3.8 Elevation of privilege 20g35.3.8.1 Misuse by authorized users . 20g35.3.8.2 Over-Privileged Processes/Services 20g35.3.8.3 Folder Write Permission Abuse 20g35.3.8.4 Root-Owned File Write Permission Abuse . 20g35.3.8.5 High-Privileged Files 20g35.3.8.6 I
24、nsecure Network Services 21g35.3.8.7 Elevation of Privilege via Unnecessary Network Services . 21g3Annex A: Aspects specific to the network product class MME . 22g3A.1 Network product class description for the MME . 22g3A.1.1 Introduction 22g3A.1.2 Minimum set of functions defining the MME network p
25、roduct class 22g3A.2 Assets and threats specific to the MME . 22g3A.2.1 Critical assets 22g3A.2.2 Threats related to AKA procedures 23g3A.2.2.1 Access to 2G . 23g3A.2.2.2 Resynchronization 23g3A.2.2.3 Failed Integrity check of Attach message . 23g3A.2.2.4 Forwarding EPS authentication data to SGSN .
26、 23g3A.2.2.5 Forwarding unused EPS authentication data between different security domains 23g3A.2.3 Threats related to security mode command procedure . 24g3A.2.3.1 Bidding Down . 24g3A.2.3.2 NAS integrity selection and use 24g3A.2.3.3 NAS NULL integrity protection . 24g3A.2.3.4 NAS confidentiality
27、protection . 24g3A.2.4 Threats related to security in Intra-RAT mobility 24g3A.2.4.1 Bidding down on X2-Handover 24g3A.2.4.2 NAS integrity protection algorithm selection in MME change 25g3A.2.5 Threats related to security in Inter-RAT mobility 25g3A.2.5.1 2G SIM access via idle mode mobility . 25g3A
28、.2.5.2 2G SIM access via handover. 25g3A.2.5.3 2G SIM access via SRVCC 25g3A.2.6 Threats related to release of non-emergency bearer . 25g3Annex B: Change history 27g3History 28g3ETSI ETSI TR 133 926 V14.0.0 (2017-04)53GPP TR 33.926 version 14.0.0 Release 14Foreword This Technical Report has been pro
29、duced by the 3rdGeneration Partnership Project (3GPP). The contents of the present document are subject to continuing work within the TSG and may change following formal TSG approval. Should the TSG modify the contents of the present document, it will be re-released by the TSG with an identifying ch
30、ange of release date and an increase in version number as follows: Version x.y.z where: x the first digit: 1 presented to TSG for information; 2 presented to TSG for approval; 3 or greater indicates TSG approved document under change control. Y the second digit is incremented for all changes of subs
31、tance, i.e. technical enhancements, corrections, updates, etc. z the third digit is incremented when editorial only changes have been incorporated in the document. ETSI ETSI TR 133 926 V14.0.0 (2017-04)63GPP TR 33.926 version 14.0.0 Release 141 Scope The present document captures the network product
32、 class descriptions, threats and critical assets that have been identified in the course of the work on 3GPP security assurance specifications. The main body of the present document contains generic aspects that are believed to apply to more than one network product class, while Annexes cover the as
33、pects specific to one network product class. 2 References The following documents contain provisions which, through reference in this text, constitute provisions of the present document. - References are either specific (identified by date of publication, edition number, version number, etc.) or non
34、-specific. - For a specific reference, subsequent revisions do not apply. - For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the sam
35、e Release as the present document. 1 3GPP TR 21.905: “Vocabulary for 3GPP Specifications“. 2 3GPP TR 33.916: “Security Assurance Methodology for 3GPP network products classes“. 3 3GPP TS 23.401: “General Packet Radio Service (GPRS) enhancements for Evolved Universal Terrestrial Radio Access Network
36、(E-UTRAN) access“. 4 3GPP TR 33.821: “Rationale and track of security decisions in Long Term Evolution (LTE) RAN/3GPP System Architecture Evolution (SAE)“. 5 3GPP TS 33.116: “Security Assurance Specification for MME network product class“. 3 Definitions and abbreviations 3.1 Definitions For the purp
37、oses of the present document, the terms and definitions given in 3GPP TR 21.905 1 and the following apply. A term defined in the present document takes precedence over the definition of the same term, if any, in 3GPP TR 21.905 1. GNP Class (Generic Network Product Class): generic network product cla
38、ss is a class of network products that all implement a common set of 3GPP-defined functionalities for that particular network product 3.2 Abbreviations For the purposes of the present document, the abbreviations given in 3GPP TR 21.905 1 and the following apply. An abbreviation defined in the presen
39、t document takes precedence over the definition of the same abbreviation, if any, in 3GPP TR 21.905 1. GNP Generic Network Product SCAS Security Assurance Specification SECAM Security Assurance MethodologyETSI ETSI TR 133 926 V14.0.0 (2017-04)73GPP TR 33.926 version 14.0.0 Release 144 Generic Networ
40、k Product (GNP) class description 4.1 Overview A 3GPP generic network product class defines a set of functions that are implemented on that product, which includes, but not limited to minimum set of common 3GPP functions for that product covered in 3GPP specifications, other functions not covered by
41、 3GPP specifications, as well as interfaces to access that product. A generic network product also includes hardware, software, and OS components that the product is implemented on. The current document describes the threats and the critical assets in the course of developing 3GPP security assurance
42、 specifications for a particular network product class. Applicability of the GNP security assurance specification to products: Assume a telecom equipment vendor wants to sell a product to an operator, and the latter is interested in following the Security Assurance Methodology as described in TR 33.
43、9162, then, before evaluation according to TR 33.9162 in a testing laboratory can start, it first needs to be determined which security assurance specifications written by 3GPP apply to the given product. Each 3GPP Network Product, is basically a device composed of hardware (e.g. chip, processors, R
44、AM, network cards), software (e.g. operating system, drivers, applications, services, protocols), and interfaces (e.g. console interfaces and O and - local logical interfaces. A remote logical interface is an interface which can be used to communicate with the GNP from another network node. The enti
45、re protocol stack implementing the communication is considered to be part of the remote logical interface. Remote Logical Interfaces also include the remote access interfaces to the GNP for its maintenance through e.g. an Element Management System (EMS). A local logical interface is an interface tha
46、t can be used only via physical connection to the GNP. That is, the connection requires physical access to the GNP. The entire protocol stack is considered to be part of the local logical interface. The entire protocol stack and the physical parts of the interface can be used by local connections. L
47、ocal Logical Interfaces also include the local hardware interfaces and the Local Maintenance Terminal interface (LMT) of the GNP used for its maintenance through a console. This means that for both, local and remote logical interfaces, the GNP model does not only cover the application layer protocol
48、, for which a GNP function terminates the interface (e.g. S5), but also the protocols (e.g. SCTP, IP, Ethernet, USB) in the protocol stack below the application layer protocol. There are some major differences between local and remote interfaces from security perspective. For example attaching to a
49、local interface may cause execution of complex internal procedures in the GNP like loading USB device drivers, enumeration of attached devices, mounting file systems etc. A GNP hosts the following interfaces: Remote logical interfaces: - Service interfaces that are defined in pertinent 3GPP specifications - Service interfaces that are not defined by 3GPP - Remote OAM interface - EMS (Element Management System) interface Local logical interfaces: - OAM local console - LMT (Local Maintenance Terminal) interface - GNP local hardware interfaces NOTE: There i
