| 제목 | Open5GS <=v2.7.5 Denail of Service |
|---|
| 설명 | A denial-of-service (DoS) vulnerability exists in Open5GS AMF (version v2.7.5 and earlier) caused by missing state validation in the GMM state machine when processing delayed SBI responses.
This issue is triggered under memory-constrained or unstable runtime conditions, where a UE and gNB repeatedly attach and detach. During this cycle, a delayed smf-select-data response is received from nudm-sdm after the AMF UE context has already been removed, and the UE has entered the DEREGISTERED state.
Because the GMM state machine has no valid logic to handle SBI events in this state, the event is forwarded to gmm_state_exception(), which raises a fatal assertion (should not be reached), causing the AMF process to crash immediately.
A remote, unauthenticated attacker can exploit this behavior by rapidly triggering registration and de-registration flows, causing repeated UE context cleanup and triggering the crash with a delayed SBI response.
Although this vulnerability does not compromise confidentiality or integrity, it results in a complete loss of AMF availability and disables 5G core network functions until manual recovery.
CVSS v4.0 Base Score
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Base Score: 8.6 (High) |
|---|
| 원천 | ⚠️ https://github.com/open5gs/open5gs/issues/3977 |
|---|
| 사용자 | lixxxiang (UID 88572) |
|---|
| 제출 | 2025. 07. 31. AM 07:51 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 09. AM 09:16 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319329 [Open5GS 까지 2.7.5 AMF src/amf/gmm-sm.c gmm_state_exception 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|