Can you explain this vulnerability to me?

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Session Management Function (SMF) component. It occurs in the function gsm_build_pdu_session_establishment_accept when processing a malformed base64-encoded qosRules field during PDU session establishment.

The SMF expects the qosRules field to be valid base64-encoded NAS QoS Rules. If the field contains invalid base64 data, an assertion fails, causing the SMF process to crash with a fatal error (exit code 139). This crash results in a denial-of-service condition.

The attack can be launched remotely by sending a crafted HTTP 201 response from a fake Home-SMF server with an invalid qosRules value, causing the SMF to terminate unexpectedly instead of handling the malformed input gracefully.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause a denial-of-service (DoS) condition in the Open5GS SMF component by crashing the process when it receives malformed input.

Since the SMF is a critical part of the 5G core network responsible for session management, its crash can disrupt network services, potentially leading to loss of connectivity or degraded network performance for users relying on the affected system.

The attack can be executed remotely, increasing the risk of exploitation without requiring local access.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the SMF (Session Management Function) process for unexpected crashes or denial-of-service symptoms, especially when processing PDU session establishment responses.

Specifically, detection involves checking for crashes caused by malformed base64-encoded qosRules fields in HTTP 201 responses from H-SMF servers.

You can monitor the SMF logs for fatal errors or exit codes such as 139, which indicate assertion failures due to invalid base64 data.

While no exact commands are provided in the resources, general Linux commands to check for such crashes include:

• Use `journalctl -u open5gs-smf` or check the SMF service logs to identify crash events.
• Use `ps aux | grep open5gs-smf` to verify if the SMF process is running or has unexpectedly stopped.
• Use `dmesg | grep open5gs` or `dmesg | grep -i segfault` to find kernel messages related to process crashes.
• Monitor network traffic for suspicious or malformed HTTP 201 responses from H-SMF servers that contain invalid base64-encoded qosRules fields.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include preventing the SMF from processing malformed base64-encoded qosRules fields that cause the crash.

Since the vulnerability is triggered by a crafted HTTP 201 response from a fake or malicious H-SMF server, restricting or validating the sources of such responses can help mitigate the risk.

You should monitor and filter network traffic to block or alert on suspicious or malformed PDU session establishment responses.

Additionally, consider running the SMF process with monitoring and automatic restart mechanisms to reduce downtime caused by crashes.

As the project has not yet responded with a patch, stay updated on official releases and apply any future patches promptly.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0