| tiêu đề | open5gs v2.7.6 Race Condition |
|---|
| Mô tả | The AMF in Open5GS v2.7.6 does not enforce the concurrent security procedure rules defined in 3GPP TS 33.501 §6.9.5.1. The AMF initiates a NAS Security Mode Command while an N2 handover procedure (carrying NH/NCC derived from the old KAMF) is still ongoing, and vice versa.
gmm_state_security_mode() in src/amf/gmm-sm.c sends the SMC on OGS_FSM_ENTRY_SIG without checking whether an N2 handover procedure is in flight for the UE. Symmetrically, the HandoverRequired handler in src/amf/ngap-handler.c builds and sends HandoverRequest with a new NH/NCC without checking whether a NAS SMC is currently outstanding. There is no per-UE state field tracking concurrent procedures across the AMF state machine and the NGAP handler.
When both procedures run concurrently, the SMC activates a new KAMF in the UE while the target gNB receives NH/NCC derived from the old KAMF, resulting in KgNB mismatch between the UE and the target gNB. This breaks AS-layer security and can disrupt handover or NAS/AS verification.
This violates 3GPP TS 33.501 §x.x.x.x Rules 1 and 2. |
|---|
| Nguồn | ⚠️ https://github.com/open5gs/open5gs/issues/4497 |
|---|
| Người dùng | Seungjoon Na (UID 97657) |
|---|
| Đệ trình | 04/05/2026 18:09 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 01/06/2026 18:31 (28 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 367672 [Open5GS đến 2.7.6 NGAP Handover src/amf/gmm-sm.c gmm_state_security_mode điều kiện tranh chấp] |
|---|
| điểm | 20 |
|---|