In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication.
During the UE (User Equipment) registration procedure in the 5G Core Network, the AMF (Access and Mobility Management Function) component improperly handles messages received in unexpected order (CWE-288: Authentication Bypass Using an Alternate Path or Channel). When a SecurityModeComplete message is sent after an InitialUERegistration message — without prior proper authentication sequence completion — AMF first returns a registration rejection (registration reject), followed by acceptance (registration accept). As a result, the AMF state machine transitions to a registered state, despite authentication never being successfully completed.
An attacker can register a device in the 5G Core Network without any authentication, enabling unauthorized access to network resources, impersonation of legitimate subscribers, and potential disruption of telecommunications infrastructure operations.
Patches available from the vendor should be applied according to the references (bug report: https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77). It is recommended to monitor the project repository and update to the version containing the patch immediately upon its release. Until the patch is implemented, consider restricting access to AMF interfaces exclusively to trusted network segments.
OpenAirInterface OAI-CN5G-AMF version V2.2.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenairinterface Oai Cn5g Amf
APPOpenairinterface2.2.0
Related vulnerabilities
OpenAirInterface Version 2.2.0 has a Buffer Overflow vulnerability in processing UplinkNASTransport containing...
OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has sup...
OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PD...
OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized...
OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized ...