CVE-2024-56921 – This vulnerability in Open5gs AMF allows remote... (How to Fix)

📋 TL;DR

This vulnerability in Open5gs AMF allows remote attackers to cause a denial of service by sending specially crafted InitialUEMessage or Registration requests at specific times. The crash occurs due to incorrect error handling in the gmm_state_exception() function when processing Nausf_UEAuthentication_Authenticate responses. This affects all deployments running vulnerable versions of Open5gs.

💻 Affected Systems

Products:

Open5gs

Versions: v2.7.2 and possibly earlier versions (check specific commit history)

Operating Systems: Linux, BSD, Unix-like systems where Open5gs runs

Default Config Vulnerable: ⚠️ Yes

Notes: All Open5gs deployments with AMF component enabled are vulnerable. The issue is in core AMF processing logic.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete AMF service disruption leading to 5G network unavailability for affected subscribers, potentially cascading to other network functions.

🟠

Likely Case

Intermittent AMF crashes causing service degradation, dropped connections, and failed authentication attempts for 5G users.

🟢

If Mitigated

Limited impact with proper monitoring and rapid restart capabilities, though service interruptions may still occur.

🌐 Internet-Facing: HIGH - AMF components in 5G networks typically handle external UE connections and are exposed to attack vectors.

🏢 Internal Only: MEDIUM - Even internal-only deployments face risk from compromised devices or insider threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires timing-specific attacks but no authentication. Attackers need to understand 5G protocol specifics.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit f780f9af45c27b6f49987d96ba71dedb3dd85840 and later versions

Vendor Advisory: https://github.com/open5gs/open5gs/issues/3608

Restart Required: Yes

Instructions:

1. Update Open5gs to latest version or apply commit f780f9af45c27b6f49987d96ba71dedb3dd85840
2. Recompile Open5gs from source
3. Restart AMF service
4. Verify AMF is running without crashes

🔧 Temporary Workarounds

Rate limiting UE connections

all

Implement connection rate limiting to reduce attack surface

# Configure firewall or load balancer to limit connections per source IP
# Example iptables: iptables -A INPUT -p tcp --dport 38412 -m limit --limit 10/min -j ACCEPT

🧯 If You Can't Patch

Implement network segmentation to isolate AMF from untrusted networks
Deploy redundant AMF instances with load balancing to maintain service during crashes

🔍 How to Verify

Check if Vulnerable:

Check Open5gs version: open5gs-amfd --version. If version is 2.7.2 or earlier without the fix commit, system is vulnerable.

Check Version:

open5gs-amfd --version

Verify Fix Applied:

Monitor AMF logs for crashes after applying patch. Test with normal UE registration traffic.

📡 Detection & Monitoring

Log Indicators:

AMF process crashes
gmm_state_exception errors in logs
UE authentication failures with specific timing patterns

Network Indicators:

Unusual spike in InitialUEMessage packets
Registration requests with specific timing patterns
AMF service port becoming unresponsive

SIEM Query:

source="open5gs.logs" AND ("AMF crashed" OR "gmm_state_exception" OR "UEAuthentication_Authenticate error")

📊 Metadata

CVE ID: CVE-2024-56921

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.3% exploit probability (52.8th percentile)

Published: February 3, 2025

Last Updated: April 22, 2025

🔗 References

https://github.com/open5gs/open5gs/commit/f780f9af45c27b6f49987d96ba71dedb3dd85840 Patch
https://github.com/open5gs/open5gs/issues/3608 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56921, you might also want to check these: