Open5GS AMF Denial-of-Service Vulnerability via PDU Session Modification Handling

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the AMF component. The issue arises in the 'amf_nsmf_pdusession_handle_update_sm_context' function, located in 'src/amf/nsmf-handler.c'. When the SMF sends a successful PDU session modification response that includes a specific N2 SM Info type, but the AMF is not in an expected state, the AMF process crashes. This vulnerability can be exploited remotely, causing a significant disruption in service.

Impact

Exploiting this vulnerability leads to a crash of the AMF process, causing a disruption in handling user equipment and gNodeB interactions, which can impact ongoing sessions and registrations.

Reproduction

The vulnerability can be reproduced by initiating a PDU session modification request from the user equipment (UE) while the AMF is in a state that does not accept the response type being sent by the SMF. This can be done by first establishing a PDU session and then manually triggering the modification response from a simulated SMF that includes the problematic N2 SM Info type, causing the AMF to crash.