OpenAirInterface CN5G AMF Buffer Overflow Vulnerability Allowing Denial-of-Service and Potential Code Execution

A buffer overflow vulnerability has been identified in OpenAirInterface CN5G AMF versions through 2.1.9. This vulnerability arises in the processing of NAS messages, where unauthorized remote attackers can send an imsi string longer than 1000 characters to the AMF component via port N1. This exploitation can lead to a denial-of-service condition and potentially allow for the execution of malicious code.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition, leading to a crash of the AMF component. Additionally, the buffer overflow could be leveraged to execute arbitrary code, creating a significant security risk.

Reproduction

The vulnerability can be reproduced by deploying the OpenAirInterface core network environment using containers. After simulating a connection from the gNB to the core network, the UERANSIM source code can be modified to construct illegal NAS messages. By adjusting the 'supi' parameter length in the 'open5gs-ue.yaml' configuration file to 1200, and then sending the modified NAS message, the buffer overflow can be triggered, causing the system to crash.