Post on 11-Mar-2023
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 1
Security Solution
P1 Telecom Fuzzer (PTF)
SS7, LTE, CDMA, GTP, Proprietary OAM, Megaco, ...
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 2
P1 Telecom Fuzzer
• A Fuzzer specific to Telecom protocols
• Goes deeper into telco layers E.g. fuzzing HLR request IMSI with correct underlying layers (M3UA, SCCP, TCAP)
E.g. fuzzing SCCP parameters offsets depending of SCCP message type
E.g. aware of protocol state machines
• Compatible with a wide range of Network Elements from multiple vendors
• Discovered numerous vulnerabilities already in Critical Core Network Elements
E.g. SIGTRAN
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 4
Tested Network Elements
Network Element Type Brand / Model
HLR/HSS
NSN NT-HLR, Apertio OneHLR/OneNDS Ericsson HLR
MSC, MSS, MGW
Huawei MSoftX3000, Huawei UMG8900 Ericsson MSS R5.0, R5.1
STP NSN HiS700, Huawei SG7000 Tekelek Eagle, Cisco ITP
MME Cisco
eNodeB Huawei
SGW/PGW Cisco
OSS NSN
AGW, AGCF Huawei, NSN
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 5
• PTF directly interconnects to the Network Element you are auditing
• Or it can be interconnected through an STP / IP Router
Interconnection
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 6
PTF Deployment: Virtual Appliance
• VM based
– Oracle Virtualbox or VMware
– Deployed as operator private cloud
• Wiring of network interfaces
– Done on physical host • Signaling link (IP, SCTP, SIGTRAN) to the audited NE
• OAM link for management
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 18
Sample of vulnerabilities
• Discovered by PTF
• Analysed and evaluated by P1 Security Team
• Now in P1 Security VKB
Vulnerability description Risk P1 VID
Ulticom Signalware malformed M3UA log flooding Medium
P1VID#799
Diameter processing crashes on HSS High
P1VID#718
NSN Telecommunication Service Platform MAP bug High
P1VID#772
Ulticom Signalware SS7 SCCP stack vulnerability leads to DoS of all SIGTRAN interconnections
High
P1VID#773
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 19
Example: Ulticom Signalware SCCP stack bug, P1VID#773
Bug type NULL pointer dereference in userland binary
Details MSU decoding Signalware Kernel module forwards invalid SCCP message to userland.
Userland binary incorrectly checks the MSU, and attempts to access deeper in the payload. It dereferences a pointer that has been set to NULL in the IPC structure of kernel-userland communication.
Userland program crashes, and on NSN products it creates a Coredump in /TspCore/ if instrumentation correctly configured.
Impact After 2 crashes, Ulticom Signalware shutdowns and all SS7 links are dropped.
After 2 minutes the TSP framework restarts the interconnections.
Not exploitable to execute code remotely.
Total downtime of all SIGTRAN interconnections: 2 minutes, +- 1 min depending on the environnment.
If attack repeated, all interconnections will be down during the duration of the attack.
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 20
Example: Ulticom Signalware SCCP stack bug, P1VID#773
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 21
Example: Ulticom Signalware SCCP stack bug, P1VID#773
© 2014 – P1 Security, All Rights Reserved – 0113.1.2 22
P1 Telecom Fuzzer
• Validate your Network Elements before deploying in production – Reduce downtime
• Evaluate impact of vendor updates – Know your infrastructure
• Unique Telecom specific robustness assessment – Made for validation of Telecom Network Elements
and Signaling stacks