Free5GC Denial-of-Service Vulnerability in AMF Component via Authentication Failure Handling

A denial-of-service vulnerability has been identified in Free5GC versions through 4.2.0. When the Access and Mobility Management Function (AMF) receives an AuthenticationFailure NAS message, the process crashes due to a nil pointer dereference. This issue can be exploited by sending an AuthenticationFailure message after a RegistrationRequest, causing the AMF process to panic and terminate.

Impact

Exploiting this vulnerability leads to a nil pointer dereference, causing the AMF process to crash.

Reproduction

To reproduce this vulnerability, deploy Free5GC with the default configuration. Use the UERANSIM simulator to connect a User Equipment (UE) to the Free5GC network. After sending a RegistrationRequest NAS message, send an AuthenticationFailure NAS message. Monitor the Free5GC AMF process logs to confirm the crash, which will be logged as a panic due to an invalid memory address or null pointer dereference.

Remediation

Users can apply the fix available in Free5GC AMF pull request #199, which adds a null pointer check for the Authentication Context before handling AuthenticationFailure messages.