Headline
CVE-2021-44081: Version2.1.4 :AMF stack smashing · Issue #1206 · open5gs/open5gs
A buffer overflow vulnerability exists in the AMF of open5gs 2.1.4. When the length of MSIN in Supi exceeds 24 characters, it leads to AMF denial of service.
When I use open5gs of version 2.1.4 on Ubuntu 20.04 system, I found a problem:
When the UE is in initially registered period, if the length of MSIN(part of Supi) exceeds the normal length by 24 characters, AMF stack smashing will be caused, resulting in denial of AMF service
I analyzed the causes of this problem:
When open5gs handles the initialUEMessage process, the requested space size is fixed(OGS_MAX_IMSI_BCD_LEN is 15), and AMF does not verify the length of Supi number,This leads to stack overflow
