Open5GS AMF Denial-of-Service Vulnerability via Missing N2SM Info in Service Request Handling

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the AMF component. The issue arises in the 'gmm_handle_service_request' function, where the AMF crashes if an SMF responds to a service modification request without including the required 'n2SmInfo'. This response omission occurs while the AMF is actively processing a service request, leading to an abrupt termination of the AMF process. The vulnerability can be exploited remotely, causing a significant disruption in service.

Impact

Exploitation of this vulnerability causes the AMF process to crash, disrupting service management functions and potentially leading to broader service availability issues.

Reproduction

The vulnerability can be reproduced by sending a success response to the AMF's service request that intentionally omits the 'n2SmInfo' field. This can be done using a local harness that simulates the SMF response. The AMF will crash during the service request handling process, specifically when it reaches a state that expects the 'n2SmInfo' but does not receive it.