Open5GS Denial-of-Service Vulnerability in AMF Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5. The issue arises in the AMF component, specifically within the 'amf_npcf_am_policy_control_build_create' and 'amf_nsmf_pdusession_build_create_sm_context' functions, located in 'src/amf/npcf-build.c'. This vulnerability can be exploited remotely and has been publicly disclosed. Under certain conditions, such as strict memory constraints, the AMF can crash during the initialization or registration phase. This occurs when the AMF receives a delayed response from the Nudm-SDM after the associated context has already been cleared, leading to a fatal assertion failure and a crash of the AMF process.

Impact

Exploitation of this vulnerability causes the AMF process to crash, disrupting 5G core network access and critical security functions like mobility management and authentication.

Reproduction

The vulnerability can be reproduced by deploying Open5GS AMF in a Docker container with strict memory limits. After starting the AMF container, the UERANSIM gNodeB simulator can be used to repeatedly attach and detach a simulated user equipment (UE) device. This process should be monitored, as the AMF is likely to crash within 1 to 10 minutes due to the delayed processing of the UE context, caused by the memory constraints.

Remediation

Users are advised to upgrade to Open5GS version 2.7.6, which addresses this vulnerability. The patch is available on the Open5GS GitHub repository.