CVE-2024-24446
📋 TL;DR
An uninitialized pointer dereference vulnerability in OpenAirInterface CN5G AMF allows attackers to cause Denial of Service (DoS) by sending a crafted InitialContextSetupResponse message. This affects all deployments using OpenAirInterface CN5G AMF up to version 2.0.0, potentially disrupting 5G core network functionality.
💻 Affected Systems
- OpenAirInterface CN5G AMF
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete AMF service crash leading to loss of 5G network connectivity for all users served by that AMF instance, requiring manual restart and causing extended service disruption.
Likely Case
AMF process crash resulting in temporary service interruption until automatic or manual restart occurs, affecting user connectivity during the downtime.
If Mitigated
Limited impact with proper network segmentation and monitoring, allowing quick detection and recovery with minimal service disruption.
🎯 Exploit Status
Exploitation requires sending a specifically crafted InitialContextSetupResponse message to the AMF. No authentication is required if the attacker can reach the AMF interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.0.1 or later
Vendor Advisory: https://openairinterface.org/
Restart Required: Yes
Instructions:
1. Download OpenAirInterface CN5G AMF v2.0.1 or later from the official repository. 2. Stop the AMF service. 3. Replace the AMF binary with the patched version. 4. Restart the AMF service. 5. Verify the service is running correctly.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to AMF interfaces to only trusted network sources using firewall rules.
iptables -A INPUT -p tcp --dport <AMF_PORT> -s <TRUSTED_NETWORK> -j ACCEPT
iptables -A INPUT -p tcp --dport <AMF_PORT> -j DROP
Rate Limiting
linuxImplement rate limiting on AMF interfaces to reduce the impact of potential DoS attacks.
iptables -A INPUT -p tcp --dport <AMF_PORT> -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -p tcp --dport <AMF_PORT> -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AMF from untrusted networks.
- Deploy monitoring and alerting for AMF process crashes with automated restart capabilities.
🔍 How to Verify
Check if Vulnerable:
Check the AMF version by examining the binary or configuration files. If version is 2.0.0 or earlier, the system is vulnerable.Check Version:
./amf --version or check the version in the configuration filesVerify Fix Applied:
After patching, verify the AMF version shows 2.0.1 or later and test that the service remains stable when receiving normal traffic.📡 Detection & Monitoring
Log Indicators:
- AMF process crash logs
- Segmentation fault errors in system logs
- Unexpected AMF service restarts
Network Indicators:
- Unusual InitialContextSetupResponse messages from untrusted sources
- Multiple connection attempts to AMF port from single source
SIEM Query:
source="amf.log" AND ("segmentation fault" OR "crash" OR "abort")