Open5GS Assertion Vulnerability in AMF Component via ngap_build_downlink_nas_transport

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5. The issue arises in the AMF component, specifically within the ngap_build_downlink_nas_transport function, where improper handling of state transitions can lead to a fatal crash. This vulnerability can be exploited remotely, especially under strict memory constraints that cause the AMF to receive delayed error responses from the SMF. As a result, the AMF process crashes, disrupting all active UE contexts.

Impact

Exploitation of this vulnerability causes a fatal assertion failure in the AMF process, leading to a crash that disrupts all UE contexts being processed by the AMF.

Reproduction

The vulnerability can be reproduced by deploying Open5GS in Docker containers, starting all Network Function containers, and applying strict memory constraints to the container or host system running the SMF. During PDU session establishment, if the AMF fails to connect to the SMF while creating the SM context, it will incorrectly proceed with NAS signaling. This leads to an invalid internal state, triggering a fatal error in the ngap_build_downlink_nas_transport function, causing the AMF process to crash. This behavior can be observed in the AMF logs, where the error 'ngap_build_downlink_nas_transport: should not be reached' indicates that the assertion vulnerability has been triggered.

Remediation

Upgrading to Open5GS version 2.7.6 addresses this vulnerability. The patch can be applied by downloading the latest version from the Open5GS GitHub repository.