Open5GS AMF Service Reachable Assertion Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5, specifically within the AMF service. The issue arises in the 'amf_state_operational' function of 'src/amf/amf-sm.c', where an assertion failure can be triggered. This vulnerability is exploited by sending a SIGTERM signal to the AMF process during its initialization phase, after it has dispatched subscription requests to the NRF but before those responses are received. As a result, the internal state machine is left in an invalid state, causing the AMF process to crash. This exploitation leads to a disruption of 5G core network services, preventing gNodeBs and user equipment from establishing connections.

Impact

Exploitation of this vulnerability causes the AMF process to crash, leading to a denial-of-service condition that disrupts 5G core network services. This prevents gNodeBs and user equipment from establishing connections, effectively paralyzing network operations.

Reproduction

To reproduce this vulnerability, start all network functions except for the AMF. Then, launch the AMF process. Immediately after AMF sends subscription requests to the NRF, but before it processes the HTTP responses, terminate the AMF process. This sequence of actions will trigger the assertion failure, causing AMF to crash.

Remediation

Users are advised to update to the patched version of Open5GS, which is available on the Open5GS GitHub repository.