Executive Summary

This vulnerability exists in Open5GS versions up to 2.7.7, specifically in the function update_authorized_pcc_rule_and_qos within the file /src/smf/npcf-handler.c of the SMF component.

The issue allows an attacker to manipulate this function, resulting in a denial of service condition.

The attack can be launched remotely, and the exploit is publicly available.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can cause a denial of service (DoS) in the affected Open5GS system.

This means that the system or service relying on Open5GS may become unavailable or unresponsive, potentially disrupting network functions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes a denial of service by crashing the Session Management Function (SMF) in Open5GS when processing malformed input. This disruption of service could impact the availability of network functions.

However, there is no specific information provided about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or unexpected termination of the Open5GS SMF process, especially exit code 139, which indicates an assertion failure in the update_authorized_pcc_rule_and_qos function.

Additionally, detection can be performed by capturing and analyzing network traffic for malformed POST requests to the endpoint /nsmf-callback/v1/sm-policy-notify/{smContextRef}/update containing invalid preemptCap values such as "BOOM".

Suggested commands include:

• Use system logs or process monitoring tools to check for SMF crashes: e.g., `journalctl -u open5gs-smf` or `ps aux | grep open5gs-smf` to detect unexpected exits.
• Use network packet capture tools like tcpdump or Wireshark to filter POST requests to the vulnerable endpoint: `tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` and then search for requests containing invalid preemptCap values.
• Use curl or similar tools to test the endpoint with crafted requests to verify if the SMF crashes: `curl -X POST http://<open5gs-smf-ip>/nsmf-callback/v1/sm-policy-notify/<smContextRef>/update -d '{"arp":{"preemptCap":"BOOM"}}' -H 'Content-Type: application/json'`

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include monitoring and restricting access to the vulnerable SMF endpoint to prevent malicious crafted requests.

Implement network-level filtering or firewall rules to block suspicious POST requests containing invalid or unexpected preemptCap values.

Consider temporarily disabling or isolating the SMF component if possible until a patch or official fix is released.

Monitor the Open5GS project for updates or patches addressing this vulnerability and apply them as soon as they become available.

Useful 0 Not Useful 0