Open5GS AMF Denial-of-Service Vulnerability via Oversized NSSAI Entries

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the AMF component. The issue arises in the function 'amf_nudm_sdm_handle_provisioned' in 'nudm-handler.c', where there is no proper bounds checking when copying 'defaultSingleNssais' entries from the 'Nudm_SDM' 'am-data' response into a fixed-size array. This oversight allows for memory corruption, which can lead to a crash of the AMF process. The vulnerability can be exploited remotely, and has been publicly disclosed.

Impact

Exploitation of this vulnerability causes the AMF process to crash, terminating its operation and disrupting service.

Reproduction

The vulnerability can be reproduced by starting the Open5GS Docker lab with the AMF container running. After confirming the existence of a subscriber, a gNB and UE can be initiated using UERANSIM. Once the UE registration flow is underway, the fake UDM helper can be activated to replace the real UDM in AMF's cache. By configuring this fake UDM to send a response with 32 identical 'defaultSingleNssais' entries, the AMF process will crash during the registration flow, exiting with a code of 134.