CVE-2024-24442
📋 TL;DR
A NULL pointer dereference vulnerability in OpenAirInterface's 5G AMF software allows attackers to crash the service by sending specially crafted NGAP messages. This affects all deployments running oai-cn5g-amf version 2.0.0 or earlier, potentially disrupting 5G core network functionality.
💻 Affected Systems
- OpenAirInterface CN5G AMF (oai-cn5g-amf)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete AMF service crash leading to denial of 5G registration and mobility services for all connected UEs in the affected area.
Likely Case
Service disruption affecting a subset of users or requiring AMF restart, causing temporary 5G connectivity loss.
If Mitigated
Limited impact if AMF is behind proper network segmentation and NGAP message filtering.
🎯 Exploit Status
Requires ability to send NGAP messages to the AMF interface, which typically requires network access to the mobile core.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after v2.0.0 (check latest release)
Vendor Advisory: http://openairinterface.com
Restart Required: Yes
Instructions:
1. Check OpenAirInterface repository for latest AMF release. 2. Update to patched version. 3. Restart AMF service. 4. Verify NGAP functionality.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict NGAP interface access to trusted N2 interfaces only
iptables -A INPUT -p sctp --dport 38412 -s trusted_gNodeB_ips -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to AMF NGAP interface (port 38412/SCTP)
- Deploy intrusion detection for malformed NGAP messages
🔍 How to Verify
Check if Vulnerable:
Check AMF version: grep 'AMF_VERSION' /path/to/amf/config or check build logsCheck Version:
amf --version 2>&1 | grep -i versionVerify Fix Applied:
Verify AMF version is >2.0.0 and monitor for crash logs after update📡 Detection & Monitoring
Log Indicators:
- AMF crash logs
- Segmentation fault in AMF process
- NGAP message parsing errors
Network Indicators:
- Unusual NGAP message patterns
- SCTP packets to AMF port 38412 from untrusted sources
SIEM Query:
process:amf AND (event:segfault OR event:crash) OR port:38412 AND protocol:sctp AND NOT src_ip:trusted_gNodeB_subnet