Executive Summary

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Policy Control Function (PCF) component's handling of delayed discovery responses during a SM Policy Association request.

When the PCF receives a delayed Network Repository Function (NRF) discovery response after the original client has disconnected, it attempts to send a fallback response on an already closed HTTP/2 stream. This causes an assertion failure and crashes the PCF.

The root cause is that the PCF does not properly discard or safely handle late discovery results, leading to dereferencing a dead stream and resulting in a denial of service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes the Policy Control Function (PCF) in Open5GS to crash when it processes a delayed Network Repository Function (NRF) discovery response after the original client disconnects. Detection can involve monitoring the PCF for unexpected crashes or restarts.

To detect this issue, you can monitor Open5GS PCF logs for assertion failures related to `ogs_assert(stream)` or unexpected termination messages.

Additionally, you can simulate the conditions that cause the crash by sending SM Policy Association requests with short timeouts and using a test or fake NRF endpoint that delays responses, then observe if the PCF crashes.

Specific commands are not provided in the resources, but general approaches include:

• Check system logs for PCF crashes or assertion failures (e.g., using `journalctl -u open5gs-pcf` or examining Open5GS log files).
• Use network traffic analysis tools (e.g., tcpdump or Wireshark) to monitor SM Policy Association requests and responses, looking for delayed NRF discovery responses.
• Perform controlled tests with a client sending requests with short timeouts and a delayed NRF endpoint to reproduce the crash.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps are not explicitly detailed in the provided resources.

However, general best practices include:

• Monitor and restart the PCF service automatically if it crashes to minimize downtime.
• Limit exposure of the PCF endpoint to untrusted networks to reduce the risk of remote exploitation.
• Avoid using delayed or unreliable NRF endpoints that could trigger the vulnerability.
• Apply any patches or updates from the Open5GS project once available.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited remotely to cause a denial of service (DoS) in the Open5GS Policy Control Function.

An attacker can trigger the PCF to crash by manipulating the timing of discovery responses, which disrupts the normal operation of the network policy control.

This disruption can lead to service unavailability or degraded network performance, potentially affecting users relying on the affected Open5GS deployment.

Useful 0 Not Useful 0