CVE-2024-24447
📋 TL;DR
A buffer overflow vulnerability in the OpenAirInterface 5G Core AMF component allows attackers to cause denial of service by sending a specially crafted PDU Session Resource Setup Response message with an empty Response Item list. This affects deployments using oai-cn5g-amf for 5G core network functions.
💻 Affected Systems
- OpenAirInterface oai-cn5g-amf
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete AMF service crash leading to 5G network service disruption for all connected devices in the affected area
Likely Case
AMF process termination causing temporary service interruption until automatic restart mechanisms activate
If Mitigated
Limited impact with proper network segmentation and AMF redundancy preventing service disruption
🎯 Exploit Status
Exploitation requires sending a malformed NGAP message to the AMF; no authentication needed for the vulnerable function
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.0.1 and later
Vendor Advisory: https://openairinterface.org/
Restart Required: Yes
Instructions:
1. Download latest OAI AMF release from official repository 2. Replace vulnerable AMF binary 3. Restart AMF service 4. Verify service is running with patched version
🔧 Temporary Workarounds
Network Filtering
linuxImplement network ACLs to restrict NGAP traffic to trusted N2 interfaces only
iptables -A INPUT -p sctp --dport 38412 -s trusted_ran_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AMF from untrusted networks
- Deploy redundant AMF instances with load balancing to maintain service during potential DoS
🔍 How to Verify
Check if Vulnerable:
Check AMF version: if running oai-cn5g-amf version <= 2.0.0, system is vulnerableCheck Version:
./oai_amf -v | grep 'Version:'Verify Fix Applied:
Verify AMF version is >= 2.0.1 and monitor for crash events in system logs📡 Detection & Monitoring
Log Indicators:
- AMF process crash logs
- Core dump files in /tmp or /var/log
- NGAP protocol errors in AMF logs
Network Indicators:
- Unusual NGAP messages with empty response lists
- SCTP traffic spikes to AMF port 38412
SIEM Query:
source="amf.log" AND ("segmentation fault" OR "buffer overflow" OR "crash")