CVE-2024-34476

Name of the Vulnerable Software and Affected Versions Open5GS versions prior to 2.7.1

Description The issue is related to a reachable assertion that can cause an AMF crash via NAS messages from a UE. This occurs due to improper handling of the pkbuf->len variable in the ogs nas encrypt function located in lib/nas/common/security.c.

Recommendations For versions prior to 2.7.1, upgrade to version 2.7.1 or later to resolve the issue. As a temporary workaround, consider restricting the handling of NAS messages from UEs to minimize the risk of exploitation. Audit the code for similar issues related to improper length handling to prevent future vulnerabilities.