| Título | Open5GS <= v2.7.5 Denial of Service |
|---|
| Descrição | A denial-of-service vulnerability exists in Open5GS AMF (version v2.7.5 and earlier) caused by improper handling of late SBI responses from the nudm-uecm service. Under certain constrained or unstable network conditions—such as when strict memory limits are applied—the AMF may receive an asynchronous PUT /nudm-uecm/... response after the corresponding UE context has already been deregistered or removed.
When this late SBI response is processed, the AMF’s GMM state machine attempts to handle the event in a state with no valid transition path, triggering a fatal assertion (should not be reached) and causing the AMF process to terminate immediately. This results in the loss of service for all connected UEs and disruption of normal 5G core network operations.
The vulnerability can be triggered remotely by causing rapid UE deregistration or creating conditions where SBI responses are delayed, such as through resource starvation or unstable inter-NF communication. It does not require any privileges or user interaction, and can be exploited over the network.
This vulnerability has been evaluated using the CVSS v4.0 scoring system and received a base score of 8.6 (High severity) with the following vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:NULL/UI:N/S:V/N:H/AC:S/PRU:N/VI:N/VA:H/SC:S/SA:N/SA:H
The flaw primarily impacts service availability. While it does not directly compromise confidentiality or integrity, a successful exploit can cause high-impact denial of service by crashing the AMF, which handles UE registration, authentication, and session management. Persistent exploitation could make the 5G core network unavailable for extended periods.
Immediate remediation is recommended for Open5GS deployments, including adding state validation for late SBI responses and discarding messages for non-existent UE contexts to prevent fatal state machine errors. |
|---|
| Fonte | ⚠️ https://github.com/open5gs/open5gs/issues/3947 |
|---|
| Utilizador | ZYC010101 (UID 88541) |
|---|
| Submissão | 13/08/2025 04h30 (há 11 meses) |
|---|
| Moderação | 24/08/2025 17h08 (12 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 321241 [Open5GS até 2.7.5 src/amf/gmm-sm.c gmm_state_exception Negação de Serviço] |
|---|
| Pontos | 20 |
|---|