| タイトル | Open5GS <=v2.7.5 Denail of Service |
|---|
| 説明 | A denial-of-service (DoS) vulnerability exists in Open5GS AMF (version v2.7.5 and earlier), caused by improper asynchronous state handling during the processing of delayed SBI client responses.
This vulnerability occurs when a UE and gNB repeatedly attach and detach under memory-constrained or unstable network conditions. If a late Nudm-SDM response is received after the RAN UE context has already been deleted, the AMF fails to validate the internal state before accessing it. This leads to a failed assertion (ran_ue_find_by_id returns NULL), causing a fatal crash of the amfd process.
An unauthenticated remote attacker can exploit this flaw by programmatically triggering frequent UE registrations and deregistrations, possibly accompanied by simulated gNB removal. In practical scenarios, this can cause AMF to crash within 1–10 minutes of repeated activity, leading to a persistent denial of access to the 5G core network.
Although the vulnerability does not impact confidentiality or integrity, it severely affects both general availability and the availability of critical security functions such as mobility management and authentication.
CVSS v4.0 Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Severity: HIGH |
|---|
| ソース | ⚠️ https://github.com/open5gs/open5gs/issues/3979 |
|---|
| ユーザー | lixxxiang (UID 88572) |
|---|
| 送信 | 2025年07月31日 07:39 (9 月 ago) |
|---|
| モデレーション | 2025年08月09日 07:44 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 319327 [Open5GS 迄 2.7.5 AMF src/amf/npcf-build.c サービス拒否] |
|---|
| ポイント | 20 |
|---|