| Título | Open5GS <= v2.7.5 Denial of Service |
|---|
| Descrição | A denial of service vulnerability exists in Open5GS AMF (v2.7.5 and earlier) that can be triggered during the handling of PCF (Policy Control Function) response payloads. When multiple UEs attempt to register under constrained memory conditions, the AMF enters an invalid state within its GMM (GPRS Mobility Management) state machine due to improperly handled service names in the PCF response.
This causes a fatal assertion in the AMF process, explicitly reaching a code path marked as "should not be reached". As a result, the AMF crashes and all registration sessions are disrupted, rendering the 5G core control plane partially unavailable. The issue is exacerbated in low-resource environments, such as memory-constrained Docker deployments.
An attacker with access to the RAN interface could exploit this flaw by simulating multiple UE registrations and malformed PCF interactions, leading to repeated AMF termination and service denial across the network.
This vulnerability is remotely exploitable without authentication, has a low attack complexity, and results in a high impact on service availability and the reliability of core 5G control plane operations.Although the flaw does not affect data confidentiality or integrity, it leads to a persistent denial of service (DoS) by crashing the Access and Mobility Management Function (AMF), thereby disrupting UE registration, session management, and subscriber authentication.
CVSS v4.0 Base Score: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H (High severity).
Given its ease of exploitation and significant operational impact, the vulnerability is considered highly critical in production or testbed 5G deployments using Open5GS. |
|---|
| Fonte | ⚠️ https://github.com/open5gs/open5gs/issues/3948 |
|---|
| Utilizador | xiaohan zheng (UID 88539) |
|---|
| Submissão | 31/07/2025 08h04 (há 9 meses) |
|---|
| Moderação | 09/08/2025 09h37 (9 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 319332 [Open5GS até 2.7.5 AMF src/amf/gmm-sm.c gmm_state_de_registered/gmm_state_exception Negação de Serviço] |
|---|
| Pontos | 20 |
|---|