Open5GS AMF Remote Denial of Service via Reachable Assertion in build_json

# Vulnerability Summary ## Vulnerability Overview - **Title**: [Bug]: Reachable assertion in message.c:build_json allows remote Denial of Service of AMF #4321 - **Status**: Closed - **Reporter**: ljungnickel - **Report Date**: Feb 19 - **Vulnerability Type**: Remote Denial of Service (Remote Denial of Service) - **Vulnerability Description**: The AMF crashes when receiving an InitialUEMessage NGAP message from an AMF UE containing a non-zero, non-existent GUTI as the SGID. ## Impact Scope - **Affected Versions**: OpenSGS Release, Revision, or Tag: v2.7.0 - **Affected Component**: AMF (Access and Mobility Management Function) ## Remediation - **Fixer**: acetcom - **Fix Date**: Mar 10 - **Fix Details**: - Added a commit referencing this issue. - Fixed the handling of invalid registration types and ignored placeholder 5G-GUTI in the connection. ## Log Information ``` 02/18 16:15:45.043: [amf] INFO: InitialUEMessage [../src/amf/context.c:2777] 02/18 16:15:45.043: [amf] INFO: [Ambe] Number of AMF-UEs is now 1 [../src/amf/context.c:1688] 02/18 16:15:45.043: [amf] INFO: RAN UE NGAP ID[20856] AMF UE NGAP ID[1] TAC[1] CellID[0x40001] [../src/amf/ng-handler.c:1593] 02/18 16:15:45.043: [amf] INFO: Unknown UE by SG-5_TMSI[AMF_ID:0x0,AMF_TMSI:0x0] [../src/amf/ng-handler.c:1593] 02/18 16:15:45.043: [amf] INFO: [Ambe] Number of AMF-UEs is now 1 [../src/amf/context.c:1688] 02/18 16:15:45.043: [gmm] INFO: Registration request [../src/amf/gmm/sm.c:1670] 02/18 16:15:45.043: [gmm] INFO: [Unknown ID] SG-5_GUTI[AMF_ID:0x0,AMF_TMSI:0x0] [../src/amf/gmm-handler.c:196] 02/18 16:15:45.043: [gmm] ERROR: Unknown reg type[0] [../src/amf/gmm/sm.c:1699] 02/18 16:15:45.043: [gmm] INFO: [Unknown ID] SG-5_GUTI[AMF_ID:0x0,AMF_TMSI:0x0] [../src/amf/gmm-handler.c:832] 02/18 16:15:45.043: [gmm] INFO: Serving Gumi[PLMN_ID:0x00900,AMF_ID:0x0000] [../src/amf/gmm-handler.c:435] 02/18 16:15:45.043: [core] ERROR: Ogsipdu:am_context_transfer_reg_data_convertToJSON() failed [reason] [../lib/so 02/18 16:15:45.044: [sbi] FATAL: build_json: Assertion `item != NULL' [../lib/core/ogsi-assert.c:173] 02/18 16:15:45.044: [core] FATAL: backtrace() returned 16 addresses [../lib/core/ogsi-assert.c:37] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b319f7f99) [0x7f2b319f7f99] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b31976742) [0x7f2b31976742] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5gs.so.2(0x7f2b3196f92a) [0x7f2b3196f92a] /home/fuzz/open5gs_prod/install/lib/x86_64-linux-gnu/libopen5g

Goal Reached Thanks to every supporter — we hit 100%!

Open5GS AMF Remote Denial of Service via Reachable Assertion in build_json

More from this source