free5GC Array Index Out of Bounds Vulnerability in AMF Component Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the AMF component of free5GC version 4.0.1. This issue arises from an array index out of bounds error in the processing of 5GS Mobile Identity within NAS Registration Request messages. Remote attackers can exploit this vulnerability by sending crafted messages, causing a runtime panic that crashes the AMF service. The flaw is located in the GetSUCI method of the NAS_MobileIdentity5GS.go file, where the code improperly accesses index 5 of a 5-element array, leading to a service disruption in the 5G core network.

Impact

Exploitation of this vulnerability causes a complete crash of the AMF service, leading to a denial-of-service condition for the entire 5G core network. The issue requires manual intervention to restore the AMF service.

Reproduction

To reproduce this vulnerability, establish an SCTP connection to the AMF NGAP interface on port 38412. First, send a normal NGSetupRequest message. Then, send a malicious InitialUEMessage containing a malformed NAS PDU that includes an invalid 5GS Mobile Identity. This will trigger the array index out of bounds error, causing the AMF to panic and crash.

Remediation

Users are advised to upgrade to the latest release of free5GC that includes the patch for this vulnerability. The fix has been implemented in the free5GC/nas repository, PR #43.