Login Sign Up

CVE-2024-34475

7.5 HIGH
Denial of Service

📋 TL;DR

Open5GS versions before 2.7.1 contain a reachable assertion vulnerability in the AMF component that can be triggered by sending specially crafted NAS messages from a UE (User Equipment). This causes the AMF to crash, leading to denial of service for 5G core network services. Organizations running vulnerable Open5GS deployments are affected.

💻 Affected Systems

Products:
  • Open5GS
Versions: All versions before 2.7.1
Operating Systems: Linux, BSD, Other Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with AMF component enabled and exposed to UE connections.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could repeatedly crash the AMF component, causing sustained denial of service for 5G core network authentication and mobility management functions, potentially disrupting all UE connections.

🟠

Likely Case

Targeted or opportunistic attacks causing intermittent AMF crashes, leading to service disruptions for affected UEs and requiring manual intervention to restart services.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to isolated AMF instances with quick detection and recovery possible.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending NAS messages to the AMF, which UEs normally do during authentication procedures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.1

Vendor Advisory: https://github.com/open5gs/open5gs/compare/v2.7.0...v2.7.1

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Open5GS services. 3. Update to Open5GS 2.7.1 via package manager or source compilation. 4. Restart Open5GS services. 5. Verify AMF is running correctly.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict UE access to AMF component using firewall rules to only allow connections from trusted networks.

iptables -A INPUT -p tcp --dport [AMF_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [AMF_PORT] -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit which UEs can communicate with the AMF component.
  • Deploy monitoring and alerting for AMF process crashes with automated restart capabilities.

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs-amfd --version or examine installed package version. If version is below 2.7.1, system is vulnerable.

Check Version:

open5gs-amfd --version 2>&1 | grep -o 'version [0-9.]*'

Verify Fix Applied:

After patching, verify version is 2.7.1 or higher and monitor AMF logs for stability during normal UE authentication procedures.

📡 Detection & Monitoring

Log Indicators:

  • AMF process crashes
  • Assertion failures in amf/gmm-sm.c
  • Unexpected AMF restarts
  • Authentication failures from legitimate UEs

Network Indicators:

  • Unusual NAS message patterns to AMF
  • Repeated authentication attempts from single UE

SIEM Query:

source="open5gs-amf.log" AND ("assertion" OR "crash" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2024-34475
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: May 5, 2024
Last Updated: April 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34475, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)