Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Policy Control Function (PCF) component. The issue occurs in the function pcf_sess_set_ipv6prefix when it processes an IPv6 address prefix that is not exactly 128 bits long. If a request includes a valid but non-128 IPv6 prefix (for example, a /64 prefix), the function triggers an assertion failure, causing the PCF process to crash.

The crash happens because the PCF expects the IPv6 prefix length to be exactly 128 bits, but it does not handle other valid prefix lengths properly. Instead of rejecting such requests with an error, the system terminates the PCF process, leading to a denial of service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition in the Open5GS system. An attacker can remotely send a specially crafted request with a non-128 bit IPv6 prefix to the PCF, causing it to crash and potentially restart repeatedly.

Such crashes can disrupt the normal operation of the Policy Control Function, which is critical for managing policies in the network. This disruption can lead to service outages or degraded network performance, affecting users relying on the affected system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or restarts of the Open5GS PCF component when it processes POST requests to the endpoint `/npcf-smpolicycontrol/v1/sm-policies`.

Specifically, sending a POST request with an IPv6 address prefix that is not a /128 prefix (for example, `2001:db8::1/64`) to the PCF can reproduce the crash, indicating the presence of the vulnerability.

A suggested command to test this would be using curl to send a malformed request:

• curl -X POST http://<pcf-ip>:<port>/npcf-smpolicycontrol/v1/sm-policies -d '{"SmPolicyContextData":{"ipv6AddressPrefix":"2001:db8::1/64"}}' -H 'Content-Type: application/json'

If the PCF process crashes or the connection is reset and the container restarts, this indicates the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include monitoring and restricting incoming POST requests to the PCF endpoint `/npcf-smpolicycontrol/v1/sm-policies` to ensure that IPv6 prefixes are strictly validated before processing.

Implement network-level filtering or application-level input validation to block requests containing IPv6 prefixes that are not /128.

Additionally, consider isolating or limiting access to the PCF service to trusted sources only to reduce exposure to remote exploitation.

Since the vendor has not responded with a patch, closely monitor for updates or patches from Open5GS and apply them as soon as they become available.

Useful 0 Not Useful 0