Open5GS AMF Denial-of-Service Vulnerability via Malformed GPSI in Nudm-SDM Response

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the AMF component. The issue arises in the 'ogs_id_get_value' function of the 'nudm-handler.c' file, where the application crashes due to a malformed GPSI entry. This vulnerability can be exploited remotely, causing the AMF process to abort during a standard UE registration flow when the 'nudm-sdm' 'am-data' response includes an incorrect GPSI format, such as 'msisdn' instead of the required 'msisdn-...' identifier.

Impact

Exploitation of this vulnerability leads to a crash of the AMF process, causing an abrupt termination with exit code 134.

Reproduction

The vulnerability can be reproduced by starting the Open5GS Docker lab and ensuring the necessary containers are running. After confirming the existence of a subscriber in MongoDB, initiate a gNB and UE using UERANSIM with the default configurations. Once the UE registration flow is underway, replace the real UDM in AMF's local cache with a fake UDM that returns a malformed GPSI entry. This will trigger the crash in the AMF process.