| 제목 | Open5GS <=v2.7.5 Denail of Service |
|---|
| 설명 | A denial-of-service (DoS) vulnerability exists in Open5GS AMF (version v2.7.5 and earlier), caused by improper handling of state transitions when the SMF fails to respond during PDU session establishment.
This issue occurs when the AMF attempts to create an SM context and fails to connect to the SMF — for example, due to resource constraints on the SMF container (e.g., strict memory limits). Despite receiving a 504 error from the SMF, the AMF continues with NAS signaling, leading to an invalid internal state transition. This results in a fatal assertion failure in the function ngap_build_downlink_nas_transport() and causes the AMF process to crash.
Instead of aborting the session and rejecting the NAS request as expected, the AMF proceeds as though the context was created successfully, which causes an invalid state and crashes the service. This leads to a denial-of-service condition, affecting all UE contexts processed by the AMF.
A remote attacker could exploit this vulnerability by simulating frequent PDU session requests with SMF failures (due to resource constraints or network issues), causing the AMF process to crash repeatedly.
CVSS v4.0 Base Score
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Base Score: 8.8(High)
|
|---|
| 원천 | ⚠️ https://github.com/open5gs/open5gs/issues/3950 |
|---|
| 사용자 | lixxxiang (UID 88572) |
|---|
| 제출 | 2025. 07. 31. AM 08:12 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 09. AM 09:40 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319333 [Open5GS 까지 2.7.5 AMF ngap_build_downlink_nas_transport 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|