Open5GS Denial-of-Service Vulnerability in AMF Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5, specifically within the Access and Mobility Management Function (AMF). The issue arises in the GPRS Mobility Management (GMM) state machine when processing Policy Control Function (PCF) response payloads. Under strict memory constraints, such as those imposed by Docker, the AMF can crash while handling multiple user equipment (UE) registrations. This crash disrupts ongoing sessions and authentication processes, leading to a significant service outage. The vulnerability can be exploited remotely, without authentication, by simulating UE registrations and sending malformed PCF responses.

Impact

Exploitation of this vulnerability causes the AMF to crash, disrupting UE registration and session management processes. This leads to a partial denial-of-service condition in the 5G core control plane, affecting the reliability of operations.

Reproduction

The vulnerability can be reproduced by deploying Open5GS version 2.7.5 in a Docker environment with limited memory. During this constrained state, multiple UEs can be registered, which triggers the AMF to process PCF response payloads. The improper handling of these responses under resource limitations causes the AMF to enter an invalid state, leading to a crash.

Remediation

Users are advised to upgrade to Open5GS version 2.7.6, where this vulnerability has been addressed.