| tiêu đề | open5gs Open5GS v2.7.6 Improper Authentication |
|---|
| Mô tả | The AMF in Open5GS v2.7.6 processes PathSwitchRequest messages without verifying the UESecurityCapabilities IE against the value stored in the UE security context, in violation of 3GPP TS 33.501 §6.7.3.1.
When the target gNB sends a PathSwitchRequest containing UESecurityCapabilities, the AMF unconditionally overwrites the stored capability without (1) comparing the received value against the value negotiated during initial registration, (2) returning the locally stored capability to the target gNB to correct any mismatch, or (3) logging the discrepancy. All three actions are required by §6.7.3.1.
A target gNB submitting a PathSwitchRequest with downgraded or null UESecurityCapabilities (e.g., NIA0/NEA0 only, or all-zero capability bit-strings) causes the AMF to store the corrupted value and propagate it in subsequent HandoverRequest messages to other gNBs. This results in persistent handover failure or selection of weak/null security algorithms across all subsequent handovers for the affected UE. |
|---|
| Nguồn | ⚠️ https://github.com/open5gs/open5gs/issues/4393 |
|---|
| Người dùng | Seungjoon Na (UID 97657) |
|---|
| Đệ trình | 04/05/2026 18:13 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 30/05/2026 08:05 (26 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 367410 [Open5GS đến 2.7.6 NGAP PathSwitchRequest Message src/amf/ngap-handler.c xác thực yếu] |
|---|
| điểm | 20 |
|---|