Open5GS Denial-of-Service Vulnerability in AMF Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.2, specifically within the Access and Mobility Management Function (AMF) module. The issue arises in the function responsible for handling updates to the session management context, located in the file 'src/amf/nsmf-handler.c'. This vulnerability allows a single user equipment (UE) device to crash the AMF, leading to a complete disruption of mobility and session management services across the network. As a result, all connected UEs lose connectivity, and new registrations are blocked until the AMF is manually restarted. The vulnerability can be exploited remotely, without any authentication, and has been publicly disclosed along with a proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes the AMF to crash, resulting in a total loss of 5G core network services. This disruption affects all connected users, who will lose connectivity, while new registration requests are blocked until the AMF is restarted. This vulnerability poses a critical risk to the reliability of 5G networks, particularly in commercial deployments.

Reproduction

The vulnerability can be reproduced by simulating a UE device that repeatedly connects and disconnects from the network. This can be done using the open-source UERANSIM tool, which simulates UE behavior. The AMF will crash after approximately 5 to 10 minutes of this repeated disconnection and reconnection, disrupting all network services.

Remediation

Users are advised to update to the latest version of Open5GS, where this vulnerability has been fixed.