General Information
Spec #:
29.510
CR #:
1204
Revision #:
-
Impacted version:
19.3.0
Target Release:
Rel-19
Title:
producerSnssaiList and producerNsiList claims in Access Token
WG TDoc:
C4-253085
WG status:
Agreed
New version:
19.4.0
Category:
F
TSG TDoc:
CP-252037
TSG status:
Approved
Entities:
UICC
ME
RAN
CN
Related Work Items
Related Work Items
UID
Acronym
Title
Resp. grp(s)
1040001
SBIProtoc19
Service Based Interface Protocol Improvements Release 19
-
False
Assigned Work Items
Find Work Items
Search Work Items
{1}
##LOC[OK]##
{1}
##LOC[OK]##
##LOC[Cancel]##
{1}
##LOC[OK]##
##LOC[Cancel]##
Additional Information
Clauses Affected:
6.3.5.2.4, E.6, E.7
Reason For Change:
CT4 has received an LS (CVD-2025-0101) from GSMA CVD PoE reporting the following:One of the attacks in this submission named "A1: Coarse Scope Attack" exploits the fact that content of the producerSnssaiList attribute in the OAuth 2.0 access token granted by the NRF to the NF Consumer is not clearly enough defined in the 3GPP specifications, which can lead to incorrect implementations in the NRF. Specifically, instead of including only the authorized for the particular NF Consumer slices into this attribute, the NRF can mistakenly include all slices supported by the NF Producer. Consequently, a malicious NF Consumer can use this access token to access services of all slices served by the NF Producer, beyond those to which this NF Consumer is authorized to. This compromises the isolation between network slices, potentially leading to data leakage, service disruption, and unauthorized resource usage.3GPP TS 29.510 Table 6.3.5.2.4-1 defines producerSnssaiList in the following way: "This IE may be included if the NRF supports providing list of S-NSSAIs of the NF service producer in the access token claims." From the above, it is not clear which S-NSSAIs should be included in this list - only the slices authorized for the NF Consumer, or all slices supported by the NF Producer. If all S-NSSAIs supported by NF Producer are included (because TS is interpreted by NRF vendor in that way), then the described attack is possible.
Summary Of Change:
The description of the producerSnssaiList claim in Access Token is clarified to refer to slices of the NF service producer that are authorized for the NF service consumer.A similar correction is done for the producerNsiList claim.
Consequence If Not Approved:
Potential risk of incorrect implementations in the NRF causing vulnerability issues (i.e. consumer getting access to services of the NF service producer's slices that are not authorized for the consumer).
Other Comments:
This CR does not cause any OpenAPI change.
CR Revision History:
Other Core Specs:
Other Core Specifications:
TS/TR ... CR ...
Test Specs:
Test Specifications:
TS/TR ... CR ...
OM Specs:
OM Specifications:
TS/TR ... CR ...
Remarks
Remarks (0)
Creation date
Author
Remark
No Remarks Added
Exit