CVE-2024-24427

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in Open5GS allows attackers to trigger a reachable assertion in the amf_ue_set_suci function via crafted NAS packets, causing a Denial of Service (DoS) that crashes the service. It affects all deployments running Open5GS versions up to and including 2.6.4. Mobile network operators and organizations using Open5GS for 5G core network functions are impacted.

💻 Affected Systems

Products:

• Open5GS

Versions: <= 2.6.4

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using the vulnerable AMF component are affected regardless of configuration.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of the Open5GS AMF component, preventing mobile device registration and network access for all users served by that instance.

🟠

Likely Case

Intermittent service outages as attackers trigger crashes, requiring manual restarts and causing availability issues for mobile subscribers.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring allowing quick detection and response to attack attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires crafting specific NAS packets but no authentication is needed to send them to the AMF interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Open5GS 2.6.5 or later

Vendor Advisory: https://github.com/open5gs/open5gs/releases

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Open5GS services. 3. Update to Open5GS 2.6.5 or later using package manager or source compilation. 4. Restart Open5GS services. 5. Verify service functionality.

🔧 Temporary Workarounds

Network Access Control

Linux

Restrict access to AMF NAS interface to trusted IP addresses only

Copy

iptables -A INPUT -p sctp --dport 38412 -s trusted_network -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP

🧯 If You Can't Patch

• Implement strict network segmentation to isolate Open5GS AMF from untrusted networks
• Deploy intrusion detection systems to monitor for crafted NAS packets and alert on attack patterns

🔍 How to Verify

Check if Vulnerable:

Copy

Check Open5GS version: open5gs-amfd --version

Check Version:

Copy

open5gs-amfd --version

Verify Fix Applied:

Copy

Confirm version is 2.6.5 or higher and monitor for assertion crashes in logs

📡 Detection & Monitoring

Log Indicators:

• Assertion failure messages mentioning amf_ue_set_suci
• AMF process crashes with core dumps
• Unexpected service restarts

Network Indicators:

• Unusual SCTP packets to port 38412 with malformed NAS messages
• High volume of NAS registration requests from single sources

SIEM Query:

Copy

source="open5gs.log" AND ("assertion" OR "amf_ue_set_suci" OR "SIGABRT")

📊 Metadata

CVE ID: CVE-2024-24427

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.08% exploit probability (24.4th percentile)

Published: January 21, 2025

Last Updated: January 24, 2025

🔗 References

• https://cellularsecurity.org/ransacked Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24427, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)

CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)

CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)