| タイトル | Open5GS <=v2.7.5 Denail of Service |
|---|
| 説明 | A denial-of-service (DoS) vulnerability exists in Open5GS AMF (version v2.7.5 and earlier), caused by improper handling of state transitions when the SMF fails to respond during PDU session establishment.
This issue occurs when the AMF attempts to create an SM context and fails to connect to the SMF — for example, due to resource constraints on the SMF container (e.g., strict memory limits). Despite receiving a 504 error from the SMF, the AMF continues with NAS signaling, leading to an invalid internal state transition. This results in a fatal assertion failure in the function ngap_build_downlink_nas_transport() and causes the AMF process to crash.
Instead of aborting the session and rejecting the NAS request as expected, the AMF proceeds as though the context was created successfully, which causes an invalid state and crashes the service. This leads to a denial-of-service condition, affecting all UE contexts processed by the AMF.
A remote attacker could exploit this vulnerability by simulating frequent PDU session requests with SMF failures (due to resource constraints or network issues), causing the AMF process to crash repeatedly.
CVSS v4.0 Base Score
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Base Score: 8.8(High)
|
|---|
| ソース | ⚠️ https://github.com/open5gs/open5gs/issues/3950 |
|---|
| ユーザー | lixxxiang (UID 88572) |
|---|
| 送信 | 2025年07月31日 08:12 (9 月 ago) |
|---|
| モデレーション | 2025年08月09日 09:40 (9 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 319333 [Open5GS 迄 2.7.5 AMF ngap_build_downlink_nas_transport サービス拒否] |
|---|
| ポイント | 20 |
|---|