CVE-2021-44081 – A buffer overflow vulnerability in open5gs AMF ... (How to Fix)

Q: What is the severity of CVE-2021-44081?

CVE-2021-44081 has a CVSS score of 7.5 (HIGH). A buffer overflow vulnerability in open5gs AMF component allows attackers to cause denial of service by sending specially crafted Supi messages with MSIN exceeding 24 characters. This affects open5gs deployments using vulnerable versions, potentially disrupting 5G core network functions.

📋 TL;DR

A buffer overflow vulnerability in open5gs AMF component allows attackers to cause denial of service by sending specially crafted Supi messages with MSIN exceeding 24 characters. This affects open5gs deployments using vulnerable versions, potentially disrupting 5G core network functions.

💻 Affected Systems

Products:

open5gs

Versions: 2.1.4 and possibly earlier versions

Operating Systems: Linux, Unix-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using the vulnerable AMF component. Requires attacker to send malformed Supi messages to the AMF interface.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete AMF service disruption leading to 5G network unavailability for affected subscribers, potentially cascading to other network functions.

🟠

Likely Case

AMF process crash causing temporary service interruption for subscribers, requiring service restart.

🟢

If Mitigated

Controlled restart of AMF service with minimal subscriber impact if monitoring and redundancy are in place.

🌐 Internet-Facing: MEDIUM - AMF typically sits behind multiple network layers but could be exposed in some deployments.

🏢 Internal Only: HIGH - Internal attackers or compromised network elements can exploit this to disrupt core network functions.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to AMF interface. The vulnerability is straightforward to trigger with malformed input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.5 or later

Vendor Advisory: https://github.com/open5gs/open5gs/issues/1206

Restart Required: Yes

Instructions:

1. Update open5gs to version 2.1.5 or later. 2. Stop AMF service. 3. Install updated version. 4. Restart AMF service. 5. Verify service functionality.

🔧 Temporary Workarounds

Input validation at network perimeter

all

Implement packet inspection to filter Supi messages with MSIN exceeding 24 characters

Rate limiting and monitoring

linux

Implement rate limiting on AMF interface and monitor for abnormal Supi message patterns

🧯 If You Can't Patch

Implement network segmentation to restrict access to AMF interface
Deploy redundant AMF instances with load balancing to maintain service during disruptions

🔍 How to Verify

Check if Vulnerable:

Check open5gs version: open5gs-amfd --version. If version is 2.1.4 or earlier, system is vulnerable.

Check Version:

open5gs-amfd --version

Verify Fix Applied:

After patching, verify version is 2.1.5 or later and test with valid Supi messages of varying lengths.

📡 Detection & Monitoring

Log Indicators:

AMF process crashes
Abnormal termination logs
Supi messages with MSIN length > 24 characters in debug logs

Network Indicators:

Sudden drop in AMF service availability
Increased error responses from AMF

SIEM Query:

source="open5gs" AND ("AMF crash" OR "buffer overflow" OR "Supi length")

📊 Metadata

CVE ID: CVE-2021-44081

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

Published: March 29, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/open5gs/open5gs/issues/1206 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/open5gs/open5gs/issues/1206 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44081, you might also want to check these: