Open5GS AMF Component Assertion Failure Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the Access and Mobility Management Function (AMF) component of Open5GS, affecting versions through 2.7.2. The issue arises from an assertion failure in the 'ngap_build_downlink_nas_transport' function, located in 'src/amf/ngap-build.c'. This vulnerability allows attackers to cause a process crash by sending repeated connect and disconnect messages from User Equipment (UE). The problem is exacerbated by the UPF (User Plane Function) not properly handling invalid values, leading to a critical crash issue.

Impact

Exploitation of this vulnerability causes the AMF process to crash, disrupting service and causing connected gNodeBs to go offline.

Reproduction

The vulnerability can be reproduced by simulating frequent disconnections and reconnections of UEs. This can be done using a script that automates the process of connecting and disconnecting a UE from a gNB, while the core network is running Open5GS version 2.7.2. After about 1 to 3 minutes of this activity, the AMF will crash, as indicated by logs showing a fatal error due to a failed assertion. This can be observed in the 'output.log' file, which captures the connection and disconnection events.

Remediation

Users can update to Open5GS version 2.7.5 or later, where this issue has been addressed.