Open5GS Denial-of-Service Vulnerability in AMF Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5, specifically within the AMF component's GMM state machine. The issue arises when the AMF receives delayed responses from the NUDM-SDM service after the associated user context has already been released. This scenario can occur under strict memory constraints or unstable conditions, leading to a crash of the AMF process. The vulnerability can be exploited remotely and without authentication, causing a complete loss of availability for the AMF, which disrupts 5G core network functions until manually restored.

Impact

Exploitation of this vulnerability causes the AMF process to crash, leading to a loss of availability for 5G core network functions, which remains disrupted until the process is manually restarted.

Reproduction

The vulnerability can be reproduced by deploying Open5GS AMF in a Docker container with strict memory constraints. After starting all network function containers, the AMF will crash during the initialization or registration phase. This occurs when the AMF receives a delayed smf-select-data response from NUDM-SDM, after the user context has been released, causing the GMM state machine to encounter an unhandled event and abort with a fatal assertion, which crashes the AMF.

Remediation

Users are advised to upgrade to Open5GS version 2.7.6, which addresses this vulnerability. The upgrade is available on the Open5GS GitHub repository.