Open5GS Reachable Assertion Vulnerability in NGAP Packet Handling Allowing Denial-of-Service

A reachable assertion vulnerability has been identified in the 'nas_eps_send_emm_to_esm' function of Open5GS versions through 2.6.4. This vulnerability allows attackers to cause a denial-of-service (DoS) condition by sending a crafted NGAP packet that triggers the assertion. The vulnerability arises from improper handling of the packet, specifically in the processing of the 'InitialUEMessage' message, where a malformed mobile identity leads to a null pointer dereference.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the Open5GS AMF component, disrupting all cellular communications managed by the affected AMF.

Reproduction

To reproduce this vulnerability, send an 'Initial UE Message' S1AP packet to the Open5GS AMF that contains a malformed 'IMSI' field, specifically one that is zero-length. This can be done by establishing a connection to the AMF and transmitting the crafted packet over the N2 interface.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.