Open5GS Reachable Assertion Vulnerability in ogs_kdf_hash_mme Function Allowing Denial-of-Service

A reachable assertion vulnerability has been identified in the ogs_kdf_hash_mme function of Open5GS versions through 2.6.4. This vulnerability allows attackers to cause a denial-of-service (DoS) condition by sending a crafted NAS packet that exploits the assertion. The vulnerability arises because the function does not properly validate the length of the incoming message before processing it, particularly when the length is a multiple of 256 bytes. This oversight can lead to an assertion failure, causing the application to crash.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Open5GS server to crash and become unresponsive.

Reproduction

To reproduce this vulnerability, send a NAS packet containing a Tracking Area Update (TAU) Request that is a multiple of 256 bytes in length to the Open5GS AMF. The packet should be crafted to include a zero-length EMM message, as this combination will trigger the reachable assertion in the ogs_kdf_hash_mme function.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.