Open5GS Reachable Assertion Vulnerability in AMF/MME Component

A reachable assertion vulnerability has been identified in Open5GS versions through 2.7.3. This issue occurs in the AMF/MME component, specifically within the gmm_state_authentication and emm_state_authentication functions. The vulnerability arises from improper handling of user equipment (UE) context during registration and deregistration processes, particularly following an incomplete handover. As a result, the AMF may crash by triggering a fatal assertion, which disrupts service availability. This vulnerability can be exploited remotely, without authentication, leading to a denial-of-service condition by causing the application to crash.

Impact

Exploitation of this vulnerability causes the AMF component to crash, disrupting service and causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by simulating an abnormal handover scenario between two gNodeBs, followed by a loop of registration and deregistration requests from a user equipment (UE) device. This process creates a conflict in the UE context management, leading to the assertion failure and subsequent crash of the AMF.

Remediation

Users are advised to update to Open5GS version 2.7.6, where this vulnerability has been fixed.