CVE-2024-24445 - Null Dereference Vulnerability in OpenAirInterface CN5G AMF Causes Denial of Service

A critical vulnerability designated as CVE-2024-24445 has been discovered in OpenAirInterface CN5G AMF (oai-cn5g-amf) versions 2.. and below. This vulnerability is a null pointer dereference in the handling of unsupported NGAP (Next Generation Application Protocol) messages, which can lead to a denial of service attack. To exploit this vulnerability, an attacker needs network-adjacent access to the AMF. This blog post will provide a detailed explanation of this vulnerability, demonstrate a code snippet, and include links to original references.

Vulnerability Details

OpenAirInterface CN5G AMF is an open-source implementation of the 5G Core Network - Access and Mobility Management Function (AMF). The AMF handles the synchronization and coordination of the network. It is particularly responsible for the routing, registration, and security procedures. When the AMF receives a misconfigured or unsupported NGAP message, it attempts to process the unsupported message by indexing into a null function pointer and dereferencing it. This can potentially lead to a denial of service.

Exploit Example

When the attacker sends an unsupported NGAP message, the AMF will attempt to process the message by calling unsupported_function_handler() function. This function is an empty function that does not contain any implementation to handle unsupported NGAP messages. Below is a code snippet illustrating this issue.

void unsupported_function_handler()
{
  // empty function
}

If a message contains an unsupported procedure code/presence field tuple, the AMF will erroneously index into a null function pointer. For example, if a message like {unsupported_code, presence_field} is received, the following code will try to access the null function pointer.

void process_unsupported_message(TUPLE message)
{
  unsigned int index = get_function_index(message);
  if (index <  || index >= NUM_FUNCTIONS)
  {
    LOG_E("Unsupported function: index out of range\n");
    return;
  }

  void (*function_ptr)() = function_table[index];
  if (function_ptr == NULL)
  {
    LOG_E("Unsupported function: null function pointer\n");
    return;
  }

  function_ptr();
}

Here, the get_function_index() attempts to find the index for the given unsupported message. However, this will likely return an invalid index, causing a null pointer dereference.

Mitigation and Resolution

It is highly recommended to update the affected oai-cn5g-amf to the latest version immediately to avoid potential exploitation. Meanwhile, users and network administrators can mitigate this vulnerability by implementing network segmentation and access control to AMF nodes.

References

1. Original Security Advisory for CVE-2024-24445
2. OpenAirInterface GitHub Repository

Conclusion

CVE-2024-24445 is a serious vulnerability that can lead to denial of service attacks in OpenAirInterface CN5G AMF. Network administrators need to take immediate action to update vulnerable versions and apply appropriate access control to protect their networks.

Timeline

Published on: 01/21/2025 22:15:11 UTC
Last modified on: 03/18/2025 21:15:24 UTC