free5gc Buffer Overflow Vulnerability in AMF Component Allowing Denial-of-Service

A buffer overflow vulnerability has been identified in the free5gc Access and Mobility Management Function (AMF) component, affecting versions through 4.1.0. The vulnerability arises when AMF processes a crafted UplinkRANConfigurationTransfer NGAP message from a gNB. An attacker-controlled gNB can send messages with malformed or missing TargetRANNodeID fields, or references to non-existent RAN contexts, leading to a nil pointer dereference and causing the AMF process to crash.

Impact

Exploitation of this vulnerability leads to a crash of the AMF process, causing a denial-of-service condition.

Reproduction

To reproduce this vulnerability, deploy free5gc AMF version 4.1.0 with the default configuration. Connect a gNB emulator to the AMF and send an NGAP message with missing or malformed TargetRANNodeID fields or non-existent RAN context references. This will trigger a nil pointer dereference, causing the AMF process to crash.

Remediation

Users are advised to upgrade to free5gc version 4.1.1 or later, where this vulnerability has been addressed.