| 标题 | Open5GS <=v2.7.5 Denail of Service |
|---|
| 描述 | A denial-of-service (DoS) vulnerability exists in Open5GS AMF (version v2.7.5 and earlier), caused by improper asynchronous state handling during the processing of delayed SBI client responses.
This vulnerability occurs when a UE and gNB repeatedly attach and detach under memory-constrained or unstable network conditions. If a late Nudm-SDM response is received after the RAN UE context has already been deleted, the AMF fails to validate the internal state before accessing it. This leads to a failed assertion (ran_ue_find_by_id returns NULL), causing a fatal crash of the amfd process.
An unauthenticated remote attacker can exploit this flaw by programmatically triggering frequent UE registrations and deregistrations, possibly accompanied by simulated gNB removal. In practical scenarios, this can cause AMF to crash within 1–10 minutes of repeated activity, leading to a persistent denial of access to the 5G core network.
Although the vulnerability does not impact confidentiality or integrity, it severely affects both general availability and the availability of critical security functions such as mobility management and authentication.
CVSS v4.0 Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Severity: HIGH |
|---|
| 来源 | ⚠️ https://github.com/open5gs/open5gs/issues/3979 |
|---|
| 用户 | lixxxiang (UID 88572) |
|---|
| 提交 | 2025-07-31 07時39分 (9 月前) |
|---|
| 管理 | 2025-08-09 07時44分 (9 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 319327 [Open5GS 直到 2.7.5 AMF src/amf/npcf-build.c 拒绝服务] |
|---|
| 积分 | 20 |
|---|