Open5GS AMF Improper Authorization Vulnerability Allowing Downlink Redirection

A vulnerability exists in Open5GS versions through 2.7.6 within the AMF component, specifically in the function that handles UE context resolution for NGAP messages. The issue arises because the AMF does not verify the ownership of UE-associated connections before processing responses related to PDU session setups. This flaw allows an attacker to forge a response that redirects downlink traffic from a legitimate UE to an attacker's gNB, effectively intercepting the data. The vulnerability can be exploited remotely, and the details of the exploitation have been made public.

Impact

Exploitation of this vulnerability allows for unauthorized interception of downlink user-plane traffic from a legitimate UE to an attacker's gNB, by redirecting the traffic through a forged PDU session response that is accepted by the AMF and propagated to the SMF.

Reproduction

To reproduce this vulnerability, register a UE through one gNB (gNB-A) and establish a PDU session. Then, using a second gNB (gNB-B) that has completed its own setup with the AMF but without any attached UE, send a forged PDU session response that includes the victim UE's identifiers and an attacker-controlled GTP-U endpoint. The AMF will accept this response and redirect the traffic as if it came from the legitimate gNB.

Remediation

Users are advised to update to Open5GS version 2.7.7 or later, where this vulnerability has been fixed.