free5GC AMF Buffer Overflow Vulnerability Leading to Denial of Service

A buffer overflow vulnerability has been identified in the free5GC AMF service, specifically in versions through 1.4.0. This vulnerability allows remote, unauthenticated attackers to crash the AMF service by sending a malformed NAS Registration Request. The crafted request includes a distorted 5GS Mobile Identity, which triggers an array index out-of-bounds error, causing a complete denial of service for the 5G core network. All deployments of free5GC using the AMF component may be affected.

Impact

Exploitation of this vulnerability causes the AMF service to crash, leading to a total denial of service for the 5G core network. The issue requires manual intervention to restore the AMF service.

Reproduction

The vulnerability can be reproduced by establishing an SCTP connection to the AMF NGAP interface and sending a normal NGSetupRequest message followed by a malicious InitialUEMessage that includes a malformed NAS PDU. This sequence of actions will cause the AMF service to panic and crash due to the array index out-of-bounds error.

Remediation

Users are advised to upgrade to the next release of free5GC that includes the patch for this vulnerability. The fix has been implemented in the free5GC/nas repository, specifically in pull request #43.