Open5GS Denial-of-Service Vulnerability in AMF Component

A denial-of-service vulnerability exists in Open5GS versions through 2.7.5, specifically within the AMF component's ESM handler. The issue arises when the function 'esm_handle_pdn_connectivity_request' processes a PDN connectivity request with an unknown PDN type, leading to a fatal assertion failure. This vulnerability can be exploited remotely, causing the MME process to crash and generate a core dump, disrupting service for connected UEs and impacting core network functions such as registration and session management.

Impact

Exploitation of this vulnerability causes the Open5GS AMF process to crash, leading to a core dump and a halt in the system. This disruption affects UEs connected to the gNodeB, causing a loss of service and connection. The repeated crashes can create a persistent denial of network service, especially during critical operations like UE registration and mobility procedures.

Reproduction

The vulnerability can be reproduced by sending a NAS message with a PDN type set to 'Unknown' (0) to the Open5GS AMF component. This can be done using a fuzzing tool to manipulate the ESM message container in the InitialUEMessage, effectively creating a malformed request that the AMF is not equipped to handle. Once the message is received, the AMF will attempt to process it but will fail due to the unsupported PDN type, triggering an assertion failure that causes the process to crash.

Remediation

Users are advised to upgrade to Open5GS version 2.7.6, which addresses this vulnerability by adding validation for PDN types in the ESM handler, ensuring that only supported types are processed.