Sjna0414

**Name of the Vulnerable Software and Affected Versions** Ella Core versions prior to 1.10.0 **Description** A radio with a valid NG Setup can send a forged 'PDUSessionResourceSetupResponse' carrying any UE's `AMF-UE-NGAP-ID`. The software fails to verify if the message arrived on the SCTP association bound to the logical NG-connection of that UE, subsequently creating a GTP tunnel towards the radio. This results in the redirection of downlink user-plane traffic for the targeted UE to the attacker's radio. **Recommendations** Update to version 1.10.0.

**Name of the Vulnerable Software and Affected Versions** Ella Core versions prior to 1.10.0 **Description** Ella Core fails to enforce security rules regarding the concurrent execution of security procedures. Specifically, the system may send a NAS Security Mode Command while an N2 handover is still pending, or vice versa. This concurrency results in a KgNB mismatch between the User Equipment (UE) and the target gNB, leading to a handover failure. Triggering this issue requires a stalled gNB combined with a re-registration race. **Recommendations** Update to version 1.10.0.

**Name of the Vulnerable Software and Affected Versions** Ella Core versions prior to 1.10.0 **Description** Ella Core, a 5G core for private networks, fails to verify UE Security Capabilities received in NGAP 'PathSwitchRequest' messages against locally stored values. This allows a malicious gNB to overwrite the stored security capabilities for any UE with arbitrary values by sending a single crafted 'PathSwitchRequest', leading to the corruption of the target UE's security data. **Recommendations** Update to version 1.10.0.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Access and Mobility Management Function (AMF) in free5GC fails to verify UE Security Capabilities received in NGAP PathSwitchRequest messages against locally stored values. This occurs within the `handlePathSwitchRequestMain()` function located in `amf/internal/ngap/handler.go`. A malicious gNB can overwrite the stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge and subsequent Handover Request messages. This leads to a persistent handover denial-of-service for affected UEs, as target gNBs may reject the procedure if the corrupted algorithms do not match their configured allowed algorithms. **Recommendations** Update to version 4.2.2. As a temporary workaround, restrict access to the `handlePathSwitchRequestMain()` function or the associated NGAP PathSwitchRequest processing to trusted gNBs only.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Access and Mobility Management Function (AMF) in free5GC fails to enforce concurrent security procedure rules. Specifically, the AMF does not verify if an N2 handover procedure is ongoing before initiating a NAS Security Mode Command, and conversely, does not check for an ongoing NAS Security Mode Command before starting N2 procedures. This lack of synchronization can result in mismatches between the Non-Access Stratum (NAS) and Access Stratum (AS) security contexts in the network and the User Equipment (UE). Technical exploitation involves the `SecurityMode()` function in `internal/gmm/sm.go` and the `handleHandoverRequiredMain()` function in `internal/ngap/handler.go`, where required cross-procedure checks are missing. **Recommendations** Update to version 4.2.2. As a temporary workaround, restrict the use of the `SecurityMode()` function and the `handleHandoverRequiredMain()` function to ensure they do not execute concurrently for the same UE.