Invia #633467: Open5GS <= v2.7.5 Denial of Serviceinformazioni

TitoloOpen5GS <= v2.7.5 Denial of Service
DescrizioneA denial-of-service vulnerability exists in Open5GS AMF (version v2.7.5 and earlier) caused by improper handling of late SBI responses from the nudm-uecm service. Under certain constrained or unstable network conditions—such as when strict memory limits are applied—the AMF may receive an asynchronous PUT /nudm-uecm/... response after the corresponding UE context has already been deregistered or removed. When this late SBI response is processed, the AMF’s GMM state machine attempts to handle the event in a state with no valid transition path, triggering a fatal assertion (should not be reached) and causing the AMF process to terminate immediately. This results in the loss of service for all connected UEs and disruption of normal 5G core network operations. The vulnerability can be triggered remotely by causing rapid UE deregistration or creating conditions where SBI responses are delayed, such as through resource starvation or unstable inter-NF communication. It does not require any privileges or user interaction, and can be exploited over the network. This vulnerability has been evaluated using the CVSS v4.0 scoring system and received a base score of 8.6 (High severity) with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:NULL/UI:N/S:V/N:H/AC:S/PRU:N/VI:N/VA:H/SC:S/SA:N/SA:H The flaw primarily impacts service availability. While it does not directly compromise confidentiality or integrity, a successful exploit can cause high-impact denial of service by crashing the AMF, which handles UE registration, authentication, and session management. Persistent exploitation could make the 5G core network unavailable for extended periods. Immediate remediation is recommended for Open5GS deployments, including adding state validation for late SBI responses and discarding messages for non-existent UE contexts to prevent fatal state machine errors.
Fonte⚠️ https://github.com/open5gs/open5gs/issues/3947
Utente ZYC010101 (UID 88541)
Sottomissione13/08/2025 04:30 (11 mesi fa)
Moderazione24/08/2025 17:08 (12 days later)
StatoAccettato
Voce VulDB321241 [Open5GS fino a 2.7.5 src/amf/gmm-sm.c gmm_state_exception negazione del servizio]
Punti20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!