Open5GS AMF SBI Endpoint Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions prior to 2.7.7. The issue arises in the AMF SBI Endpoint component, specifically within the function 'amf_namf_callback_handle_sdm_data_change_notify'. The vulnerability is triggered by manipulating the 'changeItem.newValue' argument, leading to a crash. This issue can be exploited remotely, causing the AMF process to terminate unexpectedly due to a segmentation fault.

Impact

Exploiting this vulnerability causes the AMF process to crash, leading to a segmentation fault and an abnormal termination of the HTTP/2 stream.

Reproduction

To reproduce this vulnerability, deploy Open5GS version 2.7.7 using Docker. After registering a user equipment (UE) with a valid SUPI, send a malformed HTTP/2 callback request to the AMF SBI endpoint. The request should omit the 'newValue' in the 'changeItem', which will cause the AMF to crash by dereferencing the missing value. After the AMF process crashes, check the container logs to confirm the segmentation fault.