[{"data":1,"prerenderedAt":1308},["ShallowReactive",2],{"/vulnerabilities-in-5g-sba/":3,"related-vulnerabilities-in-5g-sba":1307},{"id":4,"title":5,"author":6,"authorName":6,"category":6,"date":6,"description":6,"extension":7,"image":6,"imageAlt":6,"lastModified":6,"meta":8,"readingTime":6,"severity":6,"stem":1305,"__hash__":1306,"body":9},"articles/vulnerabilities-in-5g-sba.md","Vulnerabilities In 5g Sba",null,"md",{"body":9},{"type":10,"value":11,"toc":1294},"minimark",[12,15,20,35,43,51,58,91,95,98,103,288,294],[13,14],"hr",{},[16,17,19],"h2",{"id":18},"title-vulnerabilities-in-the-5g-sbadescription-telcosec-exposes-5g-sba-vulnerabilities-nrf-poisoning-bola-in-telecom-apis-container-breakout-paths-in-kubernetes-deployed-5g-cores-and-zero-trust-defensesdate-2024-03-03lastmodified-2026-05-15author-sentry_primaryauthorname-telcosec-researchcategory-core_attacksseverity-criticalimage-imagesarticlessba-vulnerabilities-herowebpimagealt-5g-sba-kubernetes-security-cloud-native-network-function-vulnerabilitiesreadingtime-22","title: \"Vulnerabilities in the 5G SBA\"\ndescription: \"TelcoSec exposes 5G SBA vulnerabilities: NRF poisoning, BOLA in telecom APIs, container breakout paths in Kubernetes-deployed 5G cores, and zero-trust defenses.\"\ndate: \"2024-03-03\"\nlastModified: \"2026-05-15\"\nauthor: \"Sentry_Primary\"\nauthorName: \"TelcoSec Research\"\ncategory: \"CORE_ATTACKS\"\nseverity: \"CRITICAL\"\nimage: \"/images/articles/sba-vulnerabilities-hero.webp\"\nimageAlt: \"5G SBA Kubernetes Security - Cloud-Native Network Function Vulnerabilities\"\nreadingTime: 22",[21,22,23,24,29,30,34],"p",{},"The transition from 4G LTE to 5G Standalone (SA) represents a paradigm shift in mobile network architecture. Where legacy networks relied on monolithic, proprietary hardware communicating over obscure protocols like ",[25,26,28],"a",{"href":27},"/signaling/ss7/","SS7"," vulnerabilities and ",[25,31,33],{"href":32},"/signaling/diameter/","Diameter"," protocol, 5G is built on the Service Based Architecture (SBA) — a cloud-native framework where every core network function is a microservice communicating via RESTful APIs over HTTP/2.",[21,36,37,38,42],{},"This architectural revolution delivers unprecedented operational flexibility, but it simultaneously imports the entire web application and container security threat landscape into the heart of critical national telecommunications infrastructure. Every OWASP API vulnerability, every Kubernetes misconfiguration, and every container escape technique developed against enterprise cloud environments is now directly applicable to the network that carries emergency calls, enables autonomous vehicles, and supports ",[25,39,41],{"href":40},"/5g-network-slicing-security/","critical infrastructure slicing",".",[21,44,45,46,50],{},"This research provides a comprehensive analysis of SBA-specific attack vectors, from NRF poisoning to API authorization bypass, and the defensive architectures required to mitigate them. For the broader 5G security context including SUCI, 5G-AKA, and SEPP, see our ",[25,47,49],{"href":48},"/5g-network-security-architecture/","5G network security architecture"," analysis.",[52,53],"lead-magnet",{"ctaTitle":54,"description":55,"tag":56,"title":57},"GET CHECKLIST","Download the comprehensive NF-level security audit checklist for Kubernetes-deployed 5G cores (PDF).","sba_lead_magnet","TECHNICAL GUIDE: 5G SBA Security Audit Checklist",[59,60,62,65],"article-intel-briefing",{"title":61},"REPORT OVERVIEW",[21,63,64],{},"In this architecture, Network Functions (NFs) are deployed as cloud-native microservices — typically in Docker containers managed by Kubernetes — communicating via RESTful APIs over HTTP/2. This article dissects the specific attack vectors exposed by the 5G SBA, including NRF poisoning, BOLA exploitation, container escape paths, and protocol translation vulnerabilities at the 4G/5G interworking boundary.",[66,67,69],"template",{"v-slot:takeaways":68},"",[70,71,72,76,79,82,85],"ul",{},[73,74,75],"li",{},"NRF poisoning allows for total control over core traffic flows.",[73,77,78],{},"BOLA and Mass Assignment expose subscriber data at the API layer.",[73,80,81],{},"Container escape from border NFs provides kernel-level access.",[73,83,84],{},"Zero Trust mesh (Istio/mTLS) is mandatory for core survival.",[73,86,87,88,90],{},"4G interworking introduces legacy ",[25,89,33],{"href":32}," protocol attack vectors into the 5G core.",[16,92,94],{"id":93},"sba-architecture","I. 5G SBA Architecture Overview",[21,96,97],{},"Before analyzing attack vectors, it's essential to understand the NF landscape. The 5G SBA decomposes the monolithic EPC into discrete, independently scalable Network Functions:",[99,100,102],"h3",{"id":101},"core-network-functions-and-their-attack-surface","Core Network Functions and Their Attack Surface",[104,105,106,125],"table",{},[107,108,109],"thead",{},[110,111,112,116,119,122],"tr",{},[113,114,115],"th",{},"Network Function",[113,117,118],{},"Role",[113,120,121],{},"API Surface",[113,123,124],{},"Risk Level",[126,127,128,143,157,174,188,202,216,232,246,260,274],"tbody",{},[110,129,130,134,137,140],{},[131,132,133],"td",{},"NRF",[131,135,136],{},"Service discovery & authorization",[131,138,139],{},"NF registration/discovery",[131,141,142],{},"Critical — single point of failure",[110,144,145,148,151,154],{},[131,146,147],{},"AMF",[131,149,150],{},"Access & mobility management",[131,152,153],{},"UE registration, handover",[131,155,156],{},"High — border-facing NF",[110,158,159,165,168,171],{},[131,160,161],{},[25,162,164],{"href":163},"/glossary/#session-management-function-smf","SMF",[131,166,167],{},"Session management",[131,169,170],{},"PDU session lifecycle",[131,172,173],{},"High — controls data plane",[110,175,176,179,182,185],{},[131,177,178],{},"UDM",[131,180,181],{},"Subscriber data management",[131,183,184],{},"Subscription queries",[131,186,187],{},"Critical — contains all subscriber data",[110,189,190,193,196,199],{},[131,191,192],{},"AUSF",[131,194,195],{},"Authentication",[131,197,198],{},"5G-AKA/EAP-AKA'",[131,200,201],{},"Critical — key derivation",[110,203,204,207,210,213],{},[131,205,206],{},"UPF",[131,208,209],{},"User plane forwarding",[131,211,212],{},"N4 (PFCP)",[131,214,215],{},"High — data plane access",[110,217,218,221,226,229],{},[131,219,220],{},"NSSF",[131,222,223],{},[25,224,225],{"href":40},"Slice selection",[131,227,228],{},"NSSAI routing",[131,230,231],{},"High — cross-slice routing",[110,233,234,237,240,243],{},[131,235,236],{},"PCF",[131,238,239],{},"Policy control",[131,241,242],{},"Policy rules",[131,244,245],{},"Medium — QoS/charging",[110,247,248,251,254,257],{},[131,249,250],{},"NEF",[131,252,253],{},"API exposure to external apps",[131,255,256],{},"Northbound APIs",[131,258,259],{},"High — external attack surface",[110,261,262,265,268,271],{},[131,263,264],{},"NWDAF",[131,266,267],{},"Analytics & ML",[131,269,270],{},"Data collection",[131,272,273],{},"Medium — lateral movement pivot",[110,275,276,279,282,285],{},[131,277,278],{},"SCP",[131,280,281],{},"Service communication proxy",[131,283,284],{},"All inter-NF traffic",[131,286,287],{},"Critical — if compromised, all traffic visible",[21,289,290,291,293],{},"All inter-NF communication uses HTTP/2 with JSON payloads, routed through the Service Communication Proxy (SCP). The NRF provides OAuth 2.0-based access tokens for NF-to-NF authorization. This is a radical departure from the implicit trust model of ",[25,292,28],{"href":27}," legacy signaling — but introduces its own class of vulnerabilities.",[295,296,298,300,304,310,314],"vue-flow-diagram",{"type":297},"sba",[13,299],{},[16,301,303],{"id":302},"threat-landscape","II. The SBA Threat Landscape: Web Attacks Meet Telecom Infrastructure",[21,305,306,307,42],{},"Because the 5G Core (5GC) uses HTTP/2, REST, and JSON, offensive strategies used against enterprise cloud environments are now directly applicable to telecom networks. But the consequences are orders of magnitude more severe — a compromised API in an e-commerce platform leaks credit card numbers; a compromised API in the 5GC can intercept communications, disable emergency services, or compromise ",[25,308,309],{"href":40},"critical URLLC slices",[99,311,313],{"id":312},"bola-attacks","1. BOLA: The #1 API Vulnerability",[315,316,319,325,326,329,334,338,342,346,350,354,358,361,364,368,371,374,377,381,384,389,410,417],"info-callout",{"type":317,"title":318},"hazard","API Authorization Risk",[320,321,324],"span",{"className":322},[323],"text-glow","BOLA (Broken Object Level Authorization)"," is the most critical threat in the 5G Core. A compromised Network Function can often query the UDM for any subscriber's data simply by guessing or brute-forcing the SUPI. The 3GPP specifications define the API contract but leave authorization enforcement to implementation — and many implementations are insufficient.\n",[21,327,328],{},"\u003CCodeBlock\nlanguage=\"http\"\nfilename=\"bola-exploit-attempt.http\"\ncode=\"GET /nudm-sdm/v1/imsi-001010123456789/am-data HTTP/2\nHost: udm.5g-core.internal\nAuthorization: Bearer \u003CCompromised_AMF_Token>",[330,331,333],"h1",{"id":332},"attacker-iterates-through-imsi-xxx-to-harvest-subscriber-info","Attacker iterates through imsi-XXX to harvest subscriber info",[330,335,337],{"id":336},"attack-sequence","Attack sequence:",[330,339,341],{"id":340},"_1-compromise-amf-via-api-vulnerability-obtain-valid-oauth-token","1. Compromise AMF via API vulnerability → obtain valid OAuth token",[330,343,345],{"id":344},"_2-token-is-scoped-to-nudm-sdm-subscriber-data-management","2. Token is scoped to 'nudm-sdm' (subscriber data management)",[330,347,349],{"id":348},"_3-use-token-to-query-any-subscribers-data-no-per-supi-scoping","3. Use token to query ANY subscriber's data (no per-SUPI scoping)",[330,351,353],{"id":352},"_4-iterate-imsi-001010000000001-imsi-001010999999999","4. Iterate: imsi-001010000000001 → imsi-001010999999999",[330,355,357],{"id":356},"_5-exfiltrate-subscription-profiles-qos-policies-slice-assignments","5. Exfiltrate: subscription profiles, QoS policies, slice assignments\"",[21,359,360],{},"/>",[362,363],"diagrams-sba-bola-attack-diagram",{},[99,365,367],{"id":366},"mass-assignment","2. Mass Assignment and Parameter Pollution",[21,369,370],{},"Beyond BOLA, 5G NF APIs are vulnerable to Mass Assignment attacks where an attacker includes unexpected parameters in API requests that are blindly processed. For example, a Registration Request to the AMF could include additional JSON fields that are passed through to the UDM, potentially modifying subscriber profile attributes that should be read-only.",[21,372,373],{},"\u003CCodeBlock\nlanguage=\"http\"\nfilename=\"mass-assignment-attack.http\"\ncode=\"PUT /nudm-sdm/v1/imsi-001010123456789/am-data HTTP/2\nHost: udm.5g-core.internal\nContent-Type: application/json\nAuthorization: Bearer \u003CCompromised_NF_Token>",[21,375,376],{},"{\n'subscribedUeAmbr': {\n'uplink': '1000 Mbps',   // Original subscriber limit: 100 Mbps\n'downlink': '1000 Mbps'  // Unauthorized upgrade via mass assignment\n},\n'nssai': {\n'sst': 2,                // Unauthorized slice access (URLLC)\n'sd': 'enterprise_001'\n}\n}\"\n/>",[99,378,380],{"id":379},"nrf-poisoning","3. The NRF Poisoning Attack",[21,382,383],{},"The Network Repository Function (NRF) acts as the service discovery mechanism for the entire 5GC. It is the DNS of the 5G core — and like DNS poisoning, NRF poisoning can redirect all traffic to attacker-controlled endpoints.",[385,386,388],"h4",{"id":387},"attack-methodology","Attack Methodology",[390,391,392,395,398,401,404,407],"ol",{},[73,393,394],{},"Exploit an authentication weakness in the NRF's registration API (OAuth token with excessive scope, or missing validation of NF profile fields)",[73,396,397],{},"Register a rogue NF instance (e.g., a fake AUSF) with the NRF",[73,399,400],{},"The rogue NF advertises higher priority or lower load than the legitimate AUSF",[73,402,403],{},"The NRF routes authentication requests to the rogue NF",[73,405,406],{},"The rogue NF harvests SUPI, authentication vectors, and KASME keys",[73,408,409],{},"Result: Silent subscriber identity cloning at scale",[21,411,412,413,416],{},"This effectively bypasses the ",[25,414,415],{"href":48},"security architecture controls"," designed for the 5G Core, because the attack occurs within the trusted SBA fabric.",[315,418,421,422,426,429,518,520,524,527,531,534,537,580,584,591,595,612,615,619,621,625,628,636,640,644,646,650,716,718,722,725,792,796,932,936,939,953,957,959,963,966,968,972,980,1021,1029,1031,1035,1136,1138,1142,1149,1155,1161,1172,1185,1200,1202,1206,1217,1220,1252,1265,1286],{"type":419,"title":420},"warning","NRF Trust Anchor","\nThe NRF is the root of trust for the entire 5G core. If NRF registration is not strictly controlled (mutual TLS + certificate-bound NF identity + NF type/instance validation), the entire SBA security model collapses. There is no recovery from NRF poisoning without full service revalidation.\n",[99,423,425],{"id":424},"oauth-scope-abuse","4. OAuth Token Scope Abuse",[21,427,428],{},"The 3GPP specification (TS 33.501) mandates OAuth 2.0 for NF-to-NF authorization. However, the granularity of token scoping is implementation-dependent. Many deployments issue tokens scoped to entire NF service sets rather than specific operations or subscriber contexts:",[104,430,431,447],{},[107,432,433],{},[110,434,435,438,441,444],{},[113,436,437],{},"Token Scope Level",[113,439,440],{},"Security",[113,442,443],{},"Implementation Complexity",[113,445,446],{},"Prevalence",[126,448,449,467,484,501],{},[110,450,451,458,461,464],{},[131,452,453,457],{},[454,455,456],"strong",{},"Per-NF-Type"," (e.g., \"AMF can access UDM\")",[131,459,460],{},"Weak — any AMF query any subscriber",[131,462,463],{},"Low",[131,465,466],{},"Common",[110,468,469,475,478,481],{},[131,470,471,474],{},[454,472,473],{},"Per-Service"," (e.g., \"AMF can access nudm-sdm\")",[131,476,477],{},"Moderate — limits to service",[131,479,480],{},"Medium",[131,482,483],{},"Growing",[110,485,486,492,495,498],{},[131,487,488,491],{},[454,489,490],{},"Per-Operation"," (e.g., \"AMF can GET am-data\")",[131,493,494],{},"Good — limits to read ops",[131,496,497],{},"High",[131,499,500],{},"Rare",[110,502,503,509,512,515],{},[131,504,505,508],{},[454,506,507],{},"Per-Subscriber"," (e.g., \"AMF can GET am-data for SUPI X\")",[131,510,511],{},"Excellent — zero-trust model",[131,513,514],{},"Very High",[131,516,517],{},"Experimental",[13,519],{},[16,521,523],{"id":522},"infrastructure-layer","III. Escaping the Container: Infrastructure Layer Attacks",[21,525,526],{},"The SBA assumes isolation, but containerization is not virtualization. All NFs on a Kubernetes node share the underlying host kernel. A container boundary is a userspace isolation mechanism — not a security boundary equivalent to hardware virtualization.",[99,528,530],{"id":529},"container-breakouts","1. Container Breakouts",[21,532,533],{},"Zero-day kernel vulnerabilities remain a massive threat. If a border-facing NF (like the AMF, which processes untrusted UE signaling) is compromised via an API vulnerability, the next step is container escape. Once an attacker is on the host node, the logical separation of the 5G core vanishes completely.",[21,535,536],{},"Documented container escape vectors relevant to 5G deployments:",[70,538,539,545,556,562],{},[73,540,541,544],{},[454,542,543],{},"Dirty Pipe (CVE-2022-0847):"," Kernel-level arbitrary file overwrite",[73,546,547,550,551,555],{},[454,548,549],{},"runc escape (CVE-2024-21626):"," Container runtime breakout via ",[552,553,554],"code",{},"/proc/self/fd"," manipulation",[73,557,558,561],{},[454,559,560],{},"eBPF privilege escalation:"," Kernel BPF subsystem vulnerabilities enabling root access",[73,563,564,567,568,571,572,575,576,579],{},[454,565,566],{},"Privileged container abuse:"," NFs running with ",[552,569,570],{},"privileged: true"," for DPDK/SR-IOV access (common in ",[25,573,206],{"href":574},"/glossary/#user-plane-function-upf"," deployments, as documented in our ",[25,577,578],{"href":40},"slicing security analysis",")",[99,581,583],{"id":582},"network-policy","2. Network Policy Misconfigurations",[21,585,586,587,590],{},"Kubernetes relies on Network Policies for micro-segmentation. In rapid deployment cycles, MNOs often deploy clusters with overly permissive ",[552,588,589],{},"allow-all"," policies — or worse, no Network Policies at all (which defaults to allow-all).",[385,592,594],{"id":593},"lateral-movement-path","Lateral Movement Path",[390,596,597,600,603,606,609],{},[73,598,599],{},"Compromise the NWDAF (analytics function) via an insecure ML model ingestion API",[73,601,602],{},"From within the NWDAF pod, scan the cluster network (no egress NetworkPolicy)",[73,604,605],{},"Discover the UDM service endpoint on the same cluster network",[73,607,608],{},"Connect directly to the UDM API — bypassing SCP-level authorization because the traffic originates from a \"trusted\" internal IP",[73,610,611],{},"Exfiltrate subscriber data using the NWDAF's valid service mesh certificate",[21,613,614],{},"\u003CCodeBlock\nlanguage=\"yaml\"\nfilename=\"missing-network-policy.yaml\"\ncode=\"  # DANGEROUS: No NetworkPolicy = all pods can reach all pods",[330,616,618],{"id":617},"default-kubernetes-behavior-when-no-policies-are-defined","Default Kubernetes behavior when no policies are defined",[13,620],{},[330,622,624],{"id":623},"required-deny-all-baseline-explicit-allow-rules","REQUIRED: Deny-all baseline + explicit allow rules",[21,626,627],{},"apiVersion: networking.k8s.io/v1\nkind: NetworkPolicy\nmetadata:\nname: default-deny-all\nnamespace: 5gc-core\nspec:\npodSelector: {}\npolicyTypes:",[70,629,630,633],{},[73,631,632],{},"Ingress",[73,634,635],{},"Egress",[330,637,639],{"id":638},"no-ingressegress-rules-deny-all-traffic","No ingress/egress rules = deny all traffic",[330,641,643],{"id":642},"then-add-per-nf-allow-rules-for-legitimate-communication-paths","Then add per-NF allow rules for legitimate communication paths\">",[13,645],{},[16,647,649],{"id":648},"signaling-storms","IV. Protocol Translation and Signaling Storms",[651,652,658,697],"grid",{"className":653},[654,655,656,657],"grid-cols-1","md:grid-cols-2","gap-6","my-8",[659,660,670,680,687],"div",{"className":661},[662,663,664,665,666,667,668,669],"bg-[#050B14]","p-6","border","border-[var(--border)]","group","hover:border-[var(--primary)]","transition-colors","relative",[671,672],"absolute",{":right-0":673,":top-0":673,"className":674},"true",[675,676,677,678,679],"w-8","h-8","bg-gradient-to-bl","from-[var(--primary)]/20","to-transparent",[99,681,683,686],{"id":682},"the-http2-to-diameter-gateway",[320,684,685],{},">"," The HTTP/2 to Diameter Gateway",[21,688,689,690,692,693,696],{},"Interworking Functions (IWF) translate HTTP/2 SBA calls to ",[25,691,33],{"href":32}," protocol. Attackers use advanced fuzzing to send crafted HTTP/2 headers that, when translated to ",[25,694,33],{"href":695},"/glossary/#diameter"," AVPs, cause parsing faults, buffer overflows, or HTTP Request Smuggling into the 4G core. This translation boundary is a high-value target because it bridges two fundamentally different trust models.",[659,698,700,703,709],{"className":699},[662,663,664,665,666,667,668,669],[671,701],{":right-0":673,":top-0":673,"className":702},[675,676,677,678,679],[99,704,706,708],{"id":705},"control-plane-ddos",[320,707,685],{}," Control Plane DDoS",[21,710,711,712,715],{},"A massive influx of compromised IoT devices (potentially from a compromised ",[25,713,714],{"href":40},"MIoT slice",") can cause an HTTP/2 signaling storm, exhausting TLS termination capacity and crashing the AMF. Unlike legacy signaling DoS, HTTP/2 multiplexing allows a single TCP connection to carry thousands of concurrent streams, amplifying the attack surface.",[13,717],{},[16,719,721],{"id":720},"defensive-architecture","V. Defensive Architecture: Zero Trust in the Telco Core",[21,723,724],{},"Securing the SBA requires abandoning perimeter defense and enforcing Zero Trust inside the cluster. Every NF must authenticate, authorize, and validate every request — regardless of its origin within the \"trusted\" core network.",[651,726,728,744,760,776],{"className":727},[654,655,656,657],[659,729,731,734,741],{"className":730},[662,663,664,665,666,667,668,669],[671,732],{":right-0":673,":top-0":673,"className":733},[675,676,677,678,679],[99,735,737,740],{"id":736},"_01-mutual-tls-mtls-everywhere",[320,738,739],{},"01"," Mutual TLS (mTLS) Everywhere",[21,742,743],{},"Enforcing mTLS between every microservice via a Service Mesh (Istio or Linkerd) is non-negotiable. This ensures that even if an attacker gains network access, they cannot impersonate NFs without valid certificates. Certificate rotation should be automated and frequent (\u003C 24 hours).",[659,745,747,750,757],{"className":746},[662,663,664,665,666,667,668,669],[671,748],{":right-0":673,":top-0":673,"className":749},[675,676,677,678,679],[99,751,753,756],{"id":752},"_02-api-gateways-with-schema-validation",[320,754,755],{},"02"," API Gateways with Schema Validation",[21,758,759],{},"Route all internal API calls through strict, schema-validating API gateways rather than direct pod-to-pod communication. The gateway must validate every JSON payload against the 3GPP OpenAPI specification, rejecting unexpected fields (preventing mass assignment) and enforcing per-SUPI authorization scoping.",[659,761,763,766,773],{"className":762},[662,663,664,665,666,667,668,669],[671,764],{":right-0":673,":top-0":673,"className":765},[675,676,677,678,679],[99,767,769,772],{"id":768},"_03-strict-ebpf-observability",[320,770,771],{},"03"," Strict eBPF Observability",[21,774,775],{},"Deploy kernel-level tracing (e.g., Tetragon, Falco) to detect unexpected syscall modifications, container escapes, and unauthorized lateral movement instantly. eBPF provides zero-overhead monitoring that detects attacks that bypass application-layer logging.",[659,777,779,782,789],{"className":778},[662,663,664,665,666,667,668,669],[671,780],{":right-0":673,":top-0":673,"className":781},[675,676,677,678,679],[99,783,785,788],{"id":784},"_04-nrf-hardening",[320,786,787],{},"04"," NRF Hardening",[21,790,791],{},"Implement certificate-bound NF identity verification for all NRF registration requests. The NRF must validate that the NF's X.509 certificate matches its claimed NF type, instance ID, and service set. Add rate limiting and anomaly detection for NF profile changes.",[99,793,795],{"id":794},"defense-effectiveness-matrix","Defense Effectiveness Matrix",[104,797,798,820],{},[107,799,800],{},[110,801,802,805,808,811,814,817],{},[113,803,804],{},"Defense",[113,806,807],{},"BOLA",[113,809,810],{},"NRF Poisoning",[113,812,813],{},"Container Escape",[113,815,816],{},"Lateral Movement",[113,818,819],{},"Signaling Storm",[126,821,822,840,857,872,887,902,917],{},[110,823,824,827,830,833,835,838],{},[131,825,826],{},"mTLS (Istio)",[131,828,829],{},"N/A",[131,831,832],{},"Good (cert validation)",[131,834,829],{},[131,836,837],{},"Excellent",[131,839,829],{},[110,841,842,845,847,850,852,854],{},[131,843,844],{},"API Gateway (schema)",[131,846,837],{},[131,848,849],{},"Good",[131,851,829],{},[131,853,849],{},[131,855,856],{},"Partial",[110,858,859,862,864,866,868,870],{},[131,860,861],{},"eBPF Monitoring",[131,863,829],{},[131,865,829],{},[131,867,837],{},[131,869,837],{},[131,871,849],{},[110,873,874,877,879,881,883,885],{},[131,875,876],{},"NetworkPolicy",[131,878,829],{},[131,880,829],{},[131,882,829],{},[131,884,837],{},[131,886,829],{},[110,888,889,892,894,896,898,900],{},[131,890,891],{},"Per-SUPI OAuth Scoping",[131,893,837],{},[131,895,829],{},[131,897,829],{},[131,899,829],{},[131,901,829],{},[110,903,904,907,909,911,913,915],{},[131,905,906],{},"NRF cert-bound identity",[131,908,829],{},[131,910,837],{},[131,912,829],{},[131,914,829],{},[131,916,829],{},[110,918,919,922,924,926,928,930],{},[131,920,921],{},"Rate Limiting (SCP)",[131,923,849],{},[131,925,849],{},[131,927,829],{},[131,929,829],{},[131,931,837],{},[99,933,935],{"id":934},"recommended-kubernetes-security-configuration","Recommended Kubernetes Security Configuration",[21,937,938],{},"\u003CCodeBlock\nlanguage=\"yaml\"\nfilename=\"5gc-security-baseline.yaml\"\ncode=\"  # Pod Security Standards: Restricted baseline for all 5GC NFs\napiVersion: policy/v1beta1\nkind: PodSecurityPolicy\nmetadata:\nname: 5gc-restricted\nspec:\nprivileged: false\nreadOnlyRootFilesystem: true\nrunAsUser:\nrule: MustRunAsNonRoot\nvolumes:",[70,940,941,944,947],{},[73,942,943],{},"configMap",[73,945,946],{},"emptyDir",[73,948,949,950,952],{},"secret\nallowedCapabilities: ",[320,951],{},"  # No capabilities by default",[330,954,956],{"id":955},"upf-exceptions-net_admin-for-packet-processing-separate-psp","UPF exceptions: NET_ADMIN for packet processing (separate PSP)",[13,958],{},[330,960,962],{"id":961},"istio-peerauthentication-enforce-strict-mtls-cluster-wide","Istio PeerAuthentication: Enforce STRICT mTLS cluster-wide",[21,964,965],{},"apiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\nname: default\nnamespace: 5gc-core\nspec:\nmtls:\nmode: STRICT\">",[13,967],{},[16,969,971],{"id":970},"testing-methodology","VI. SBA Security Testing Methodology",[21,973,974,975,979],{},"Assessing 5G SBA security requires expertise spanning web application security, Kubernetes infrastructure, and telecom-specific protocols. TelcoSec recommends a structured ",[25,976,978],{"href":977},"/telecom-penetration-testing-methodologies/","telecom pentesting methodology"," approach:",[390,981,982,988,994,1000,1006,1012],{},[73,983,984,987],{},[454,985,986],{},"API Surface Enumeration:"," Map all NF API endpoints using the 3GPP OpenAPI specifications (TS 29.xxx series). Identify which endpoints accept subscriber identifiers (SUPI/GPSI) as path parameters — these are BOLA candidates.",[73,989,990,993],{},[454,991,992],{},"OAuth Token Analysis:"," Obtain legitimate NF tokens and analyze their scope claims. Test whether tokens from one NF type can access services intended for other NF types.",[73,995,996,999],{},[454,997,998],{},"NRF Registration Testing:"," Attempt to register rogue NF instances with various NF types and priorities. Verify that certificate-bound identity validation is enforced.",[73,1001,1002,1005],{},[454,1003,1004],{},"Mass Assignment Fuzzing:"," Send API requests with unexpected JSON fields and verify that they are rejected, not silently processed.",[73,1007,1008,1011],{},[454,1009,1010],{},"Container Security Audit:"," Review Pod Security Policies/Standards, check for privileged containers, verify NetworkPolicy enforcement, and test for container escape paths.",[73,1013,1014,1017,1018,1020],{},[454,1015,1016],{},"IWF Fuzzing:"," Send malformed HTTP/2 requests through the ",[25,1019,33],{"href":32}," protocol interworking function and monitor for parsing errors, crashes, or request smuggling.",[21,1022,1023,1024,1028],{},"For building a test environment, see our ",[25,1025,1027],{"href":1026},"/setting-up-private-lte-5g-lab/","private LTE/5G lab",". Open-source 5G cores (Open5GS, free5GC) provide excellent targets for security research.",[13,1030],{},[16,1032,1034],{"id":1033},"references","VII. Authoritative References",[1036,1037,1040],"glass-panel",{"className":1038},[663,1039],"bg-black/20",[70,1041,1042,1059,1074,1089,1104,1120],{},[73,1043,1044,1049,1053],{},[454,1045,1046,1048],{},[320,1047,739],{}," 3GPP TS 33.501",[1050,1051,1052],"em",{},"Security architecture and procedures for 5G system",[25,1054,1058],{"href":1055,"rel":1056},"https://www.3gpp.org/dynareport?code=33501.htm",[1057],"nofollow","3GPP TS 33.501 – 5G Security Architecture →",[73,1060,1061,1066,1069],{},[454,1062,1063,1065],{},[320,1064,755],{}," ENISA 5G Security",[1050,1067,1068],{},"5G Security Controls Matrix",[25,1070,1073],{"href":1071,"rel":1072},"https://www.enisa.europa.eu/topics/cybersecurity-of-critical-sectors/telecom-sector-and-digital-infrastructure",[1057],"ENISA 5G Security Controls →",[73,1075,1076,1081,1084],{},[454,1077,1078,1080],{},[320,1079,771],{}," OWASP API TOP 10",[1050,1082,1083],{},"API Security Project - 2023 Standard",[25,1085,1088],{"href":1086,"rel":1087},"https://owasp.org/www-project-api-security/",[1057],"OWASP API Security Project →",[73,1090,1091,1096,1099],{},[454,1092,1093,1095],{},[320,1094,787],{}," 3GPP TS 29.510",[1050,1097,1098],{},"NRF Services (Network Repository Function)",[25,1100,1103],{"href":1101,"rel":1102},"https://www.3gpp.org/dynareport?code=29510.htm",[1057],"3GPP TS 29.510 – NRF Services →",[73,1105,1106,1112,1115],{},[454,1107,1108,1111],{},[320,1109,1110],{},"05"," NIST SP 800-204",[1050,1113,1114],{},"Security Strategies for Microservices-based Application Systems",[25,1116,1119],{"href":1117,"rel":1118},"https://csrc.nist.gov/pubs/sp/800/204/final",[1057],"NIST SP 800-204 Microservices Security →",[73,1121,1122,1128,1131],{},[454,1123,1124,1127],{},[320,1125,1126],{},"06"," 3GPP TS 23.501",[1050,1129,1130],{},"System Architecture for the 5G System (Stage 2)",[25,1132,1135],{"href":1133,"rel":1134},"https://www.3gpp.org/dynareport?code=23501.htm",[1057],"3GPP TS 23.501 – 5G System Architecture →",[13,1137],{},[16,1139,1141],{"id":1140},"faq","VIII. Frequently Asked Questions",[1143,1144,1146],"faq-item",{"title":1145},"Why is NRF poisoning so dangerous?",[21,1147,1148],{},"The Network Repository Function (NRF) is the \"central phonebook\" of the 5G core. If an attacker can poison it with a rogue Network Function, they can intercept all traffic meant for legitimate services, potentially stealing subscriber authentication keys or modifying call flows. Unlike other attacks that affect individual subscribers, NRF poisoning can compromise the entire core network simultaneously.",[1143,1150,1152],{"title":1151},"Does mTLS solve all SBA security issues?",[21,1153,1154],{},"Mutual TLS (mTLS) provides strong authentication and encryption between microservices, but it doesn't prevent application-layer attacks. An attacker who compromises a single container can still use its valid certificate to perform authorized (but malicious) API calls — such as BOLA-based subscriber enumeration. mTLS is necessary but not sufficient.",[1143,1156,1158],{"title":1157},"What is the role of eBPF in 5G security?",[21,1159,1160],{},"eBPF (Extended Berkeley Packet Filter) allows security tools to monitor syscalls and network traffic at the kernel level with minimal overhead. It is essential for detecting container escapes and unauthorized lateral movement within the highly dynamic 5G core environment. Tools like Tetragon and Falco leverage eBPF for real-time security enforcement.",[1143,1162,1164],{"title":1163},"How does 5G SBA security compare to legacy SS7/Diameter?",[21,1165,1166,1167,29,1169,1171],{},"The ",[25,1168,28],{"href":27},[25,1170,33],{"href":32}," protocol protocols provided no authentication at all — any node could send any message to any destination. The 5G SBA adds OAuth 2.0, mTLS, and NRF-based authorization, which is a massive improvement. However, the cloud-native architecture introduces entirely new attack classes (container escapes, BOLA, mass assignment) that didn't exist in the legacy monolithic world.",[1143,1173,1175],{"title":1174},"Can network slicing protect against SBA attacks?",[21,1176,1177,1180,1181,1184],{},[25,1178,1179],{"href":40},"Network slicing"," provides logical separation, but slices share the SBA infrastructure (",[25,1182,147],{"href":1183},"/glossary/#access-and-mobility-management-function-amf",", NRF, SCP). A BOLA attack or NRF poisoning in the shared control plane affects all slices. True protection requires per-slice NRF instances and slice-specific OAuth scoping — which most current deployments don't implement.",[1143,1186,1188],{"title":1187},"What open-source tools are available for 5G SBA testing?",[21,1189,1190,1191,1194,1195,1199],{},"Open5GS and free5GC provide complete 5G core implementations for ",[25,1192,1193],{"href":1026},"lab testing",". For API security testing, standard tools (Burp Suite, OWASP ZAP) work against the HTTP/2 APIs. Kubernetes security can be assessed with kube-bench, kube-hunter, and Trivy. TelcoSec's ",[25,1196,1198],{"href":1197},"/projects/tools/","TelcoSec protocol analysis tools"," provide telecom-specific testing frameworks.",[13,1201],{},[16,1203,1205],{"id":1204},"conclusion-next-steps","Conclusion & Next Steps",[21,1207,1208,1209,1213,1214,42],{},"The 5G ",[25,1210,1212],{"href":1211},"/glossary/#service-based-architecture-sba","SBA"," offers unprecedented flexibility but exposes MNOs to the full volatility of the cloud-native threat landscape. Telecom engineers can no longer isolate themselves from web application and container security — the same OWASP Top 10 vulnerabilities that plague enterprise APIs now threaten the network infrastructure that supports ",[25,1215,1216],{"href":40},"critical IoT slices",[21,1218,1219],{},"The defense roadmap for operators deploying 5G SA cores:",[390,1221,1222,1228,1234,1244],{},[73,1223,1224,1227],{},[454,1225,1226],{},"Immediate:"," Enforce mTLS and deny-all NetworkPolicy across all 5GC namespaces",[73,1229,1230,1233],{},[454,1231,1232],{},"Short-term:"," Deploy eBPF-based runtime security monitoring (Tetragon/Falco)",[73,1235,1236,1239,1240,1243],{},[454,1237,1238],{},"Medium-term:"," Implement per-operation OAuth scoping and ",[25,1241,133],{"href":1242},"/glossary/#network-repository-function-nrf"," certificate-bound identity",[73,1245,1246,1249,1250],{},[454,1247,1248],{},"Long-term:"," Transition to per-SUPI authorization and automated ",[25,1251,978],{"href":977},[21,1253,1254,1255,1259,1260,1264],{},"Protecting the 5G core requires deep expertise in Kubernetes hardening, REST API security, and zero-trust mesh architectures. Explore our ",[25,1256,1258],{"href":1257},"/projects/library/","TelcoSec research library"," for related 5G intelligence, or review the ",[25,1261,1263],{"href":1262},"/projects/3gpp/","3GPP specification navigator"," for detailed protocol references.",[659,1266,1272,1273,1272,1281],{"className":1267},[1268,1269,1270,1271,657],"flex","flex-col","sm:flex-row","gap-4","\n  ",[1274,1275,1280],"nuxt-link",{"to":1276,"className":1277},"/services/",[1278,1279],"btn-terminal-fill","text-center","REQUEST AUDIT",[1274,1282,1285],{"to":48,"className":1283},[1284,1279],"btn-terminal","5G ARCHITECTURE →",[1287,1288],"telecom-security-cta",{"title":1289,"description":1290,"ctalink":1291,"ctatext":1292,"context":1293},"AUDIT 5G CORE APIS?","Master 5G Service Based Architecture security. Learn to identify and exploit HTTP/2 vulnerabilities in containerized NFs through our hands-on Academy tracks.","https://app.telcosec.net/api/auth/login","MASTER 5G CORE SBA EXPLOITS [→]","5g_sba_vulnerabilities",{"title":68,"searchDepth":1295,"depth":1295,"links":1296},2,[1297,1298,1302],{"id":18,"depth":1295,"text":19},{"id":93,"depth":1295,"text":94,"children":1299},[1300],{"id":101,"depth":1301,"text":102},3,{"id":302,"depth":1295,"text":303,"children":1303},[1304],{"id":312,"depth":1301,"text":313},"vulnerabilities-in-5g-sba","F62JSOlVL5PYy63k1A3ErZfGT_p7070gFvakjKBpdFM",[],1782059596569]