Open5GS Denial-of-Service Vulnerability in AMF Component

A denial-of-service vulnerability exists in Open5GS versions through 2.7.5, specifically within the AMF component. The issue arises in the 'gmm_state_exception' function of 'src/amf/gmm-sm.c', where late responses from the nudm-uecm service are not handled properly. Under certain conditions, such as strict memory constraints, the AMF may receive delayed HTTP/2 responses after the corresponding user equipment (UE) context has already been removed. This late response causes the AMF's state machine to encounter an unhandled situation, leading to a fatal assertion failure and crashing the AMF process. As a result, all connected UEs experience service disruption, impacting normal 5G core network operations. The vulnerability can be exploited remotely, without any authentication, by creating conditions that delay SBI responses or by causing rapid UE deregistration.

Impact

Exploitation of this vulnerability causes the AMF process to crash, leading to a loss of service for all connected UEs and disrupting 5G core network operations. Persistent exploitation could cause extended unavailability of the network.

Reproduction

The vulnerability can be reproduced by deploying Open5GS AMF in a Docker container with strict memory constraints. After starting all Network Function containers, the AMF will crash during the initialization or registration phase. This occurs when the AMF receives a late SBI response from nudm-uecm, after the corresponding UE has already been deregistered, causing the state machine to enter an unhandled state and trigger a fatal error.

Remediation

Users are advised to update to Open5GS version 2.7.6 or later, where this vulnerability has been fixed.