Open5GS AMF Denial-of-Service Vulnerability in gmm_state_exception Error Handling

A denial-of-service vulnerability has been identified in Open5GS version 2.7.2. The issue arises in the Access and Mobility Management Function (AMF) when it receives the Nausf_UEAuthentication_Authenticate response. If the Initial UE Message registration request is sent repeatedly by the same user equipment (UE) before the previous authentication response is processed, the AMF crashes. This failure is due to improper error handling in the gmm_state_exception function, which cannot manage the outdated authentication vectors, leading to a crash.

Impact

Exploitation of this vulnerability causes the AMF to crash, disrupting the service and potentially leading to a loss of context for ongoing operations.

Reproduction

The vulnerability can be reproduced by sending continuous registration requests from the same UE while the AMF is processing previous requests. This can be done using a script that automates the registration process, effectively overwhelming the AMF with repeated requests before it can properly handle the authentication responses.

Remediation

Users can update to the patched version of Open5GS, which includes a fix for this vulnerability. Instructions for updating can be found in the Open5GS documentation.