Executive Summary

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Session Management Function (SMF) component. When the SMF, operating in the home-routed V-SMF role, receives a 201 Created response for a POST request to /nsmf-pdusession/v1/pdu-sessions, it expects certain data fields. If the response's PduSessionCreatedData is missing the hcnTunnelInfo field, the SMF's error handling code attempts to dereference a null pointer while logging this missing information. This causes the entire SMF process to crash with exit code 139.

The vulnerability can be triggered remotely by sending a malformed response that omits the hcnTunnelInfo field. Instead of gracefully rejecting the malformed response and terminating only the affected transaction, the SMF process crashes entirely, leading to a denial of service.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause a denial of service (DoS) in the Open5GS Session Management Function (SMF). An attacker can remotely trigger the crash by sending a specially crafted response missing required data fields, causing the SMF process to terminate unexpectedly.

The impact is that the SMF service becomes unavailable, potentially disrupting network session management and related services that depend on Open5GS. This could lead to service outages or degraded network performance.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the Open5GS SMF process, especially looking for crashes with exit code 139 which indicate a segmentation fault caused by dereferencing a null pointer.

Specifically, detection involves checking if the SMF crashes when it receives a 201 Created response for a POST request to /nsmf-pdusession/v1/pdu-sessions where the PduSessionCreatedData is missing the hcnTunnelInfo field.

To detect this on your system, you can monitor Open5GS SMF logs for crashes or use network traffic capture tools to inspect POST responses to the mentioned endpoint for missing hcnTunnelInfo.

• Use system logs or process monitoring commands like `journalctl -u open5gs-smf` or `ps` and `dmesg` to detect unexpected SMF process terminations.
• Capture network traffic with tools like `tcpdump` or `wireshark` filtering for POST requests to `/nsmf-pdusession/v1/pdu-sessions` and inspect the JSON response for missing `hcnTunnelInfo`.
• Example tcpdump command: `tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'` and then filter HTTP POST responses.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include monitoring and restricting access to the SMF component to prevent malicious POST requests that omit the hcnTunnelInfo field.

Since the vulnerability causes a denial of service by crashing the SMF process, applying input validation or filtering malformed responses before they reach the SMF can help mitigate the issue.

Additionally, consider implementing network-level protections such as firewall rules or API gateways to block or validate requests to the vulnerable endpoint.

Monitor for updates or patches from the Open5GS project, as the issue was reported but no response or fix has been released yet.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0