Open5GS AMF Denial-of-Service Vulnerability via Malformed NGSetupRequest

A denial-of-service vulnerability has been identified in Open5GS version 2.7.6. The issue arises in the Access and Mobility Management Function (AMF) when it receives an abnormal NGSetupRequest message. This malformed message causes the AMF to crash, disrupting service. The problem stems from improper handling of the 'id-GlobalRANNodeID' Information Element (IE), which, when altered, leads to invalid memory access and process termination.

Impact

Exploitation of this vulnerability causes the AMF process to crash, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending an NGSetupRequest that includes the 'id-GlobalRANNodeID' IE. If the 'value' choice byte is changed from '0x00' to another value, such as '0xC0', the AMF will crash. This occurs because the parser generates an invalid pointer for 'globalGNB_ID->pLMNIdentity.buf', which, when accessed, causes a memory access violation. The crash can be observed in the AMF logs, where the error 'Invalid PLMNIdentity size' indicates the issue.

Remediation

Users can update to the latest version of Open5GS, where this vulnerability has been fixed. Instructions for updating can be found in the Open5GS documentation.