Open5GS Assertion Failure Vulnerability in SCTP Partial Message Handling

A vulnerability exists in Open5GS versions through 2.7.3, specifically within the AMF component's NGAP and S1AP SCTP message handling functions. The issue arises from improper processing of oversized or fragmented SCTP messages, which can lead to assertion failures and crashes. When the 'MSG_EOR' flag is absent in non-final fragments, the AMF incorrectly interprets these as errors, causing a fatal assertion to be triggered. This vulnerability requires local exploitation and can be reproduced by sending manipulated SCTP messages with exaggerated TAI field lengths, generating overly long user location information.

Impact

Exploitation of this vulnerability causes the AMF process to crash, disrupting service and potentially leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send an 'ngap uplinkNASTransport' message with a TAI field length of approximately 1,000,000 bytes to the Open5GS AMF. The absence of the 'MSG_EOR' flag in the fragmented SCTP message will trigger a fatal assertion, causing the AMF to crash.

Remediation

Users are advised to update to Open5GS version 2.7.4 or later, where this vulnerability has been patched.