Open5GS Denial-of-Service Vulnerability in AMF/MME Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.3. The issue arises in the AMF/MME component, specifically within the 'common_register_state' function of the 'src/mme/emm-sm.c' file. The vulnerability is triggered by manipulating the 'ran_ue_id' argument, leading to a crash in the Application Management Function (AMF). This issue can be exploited remotely, causing a significant disruption in service availability.

Impact

Exploitation of this vulnerability causes the AMF to crash, disrupting service and causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by first processing a handover required message between two gNBs, which creates an incomplete handover and releases the original gNB-UE context. Before this context is fully released, a new UE with a duplicate IMSI can be registered via a third gNB. This process will trigger a crash in the AMF due to a missing 'ran_ue' context, caused by the stale reference from the first gNB handover.

Remediation

Users are advised to update to Open5GS version 2.7.4 or later, where this vulnerability has been patched.