Executive Summary

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the Session Management Function (SMF) component's function ogs_nas_parse_qos_rules. When the SMF processes a PDU Session Modification Request containing a Quality of Service (QoS) rule with an empty packet-filter content, it crashes. This happens because the SMF expects the packet-filter reconfiguration to return a positive value, but it fails when the packet-filter is empty, causing the SMF process to abort with a fatal error and terminate the container.

The crash occurs before any HTTP response is sent, resetting the client connection unexpectedly. The expected behavior would be for the SMF to reject such invalid QoS rules with a normal protocol error instead of crashing.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition by crashing the SMF component of Open5GS when it processes malformed QoS rules. Because the SMF process aborts and the container terminates, this disrupts the normal operation of the 5G core network functions, potentially causing service interruptions or outages for users relying on the affected network.

Since the attack can be executed remotely, an attacker could exploit this vulnerability to repeatedly crash the SMF, leading to degraded network availability and reliability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes the Session Management Function (SMF) in Open5GS to crash when processing a PDU Session Modification Request containing a QoS rule with an empty packet-filter content.

Detection can be done by monitoring the SMF process for unexpected crashes or container restarts with exit code 139, especially after receiving PDU Session Modification Requests.

You can check system logs or container logs for such crashes and look for error messages related to the function gsm_handle_pdu_session_modification_qos_rules or reconfigure_packet_filter failures.

• Use commands like `docker logs <smf_container>` or `journalctl -u open5gs-smf` to inspect logs for crash evidence.
• Monitor process status with `ps aux | grep open5gs-smf` to detect if the SMF process is unexpectedly restarting.
• Capture and analyze network traffic for PDU Session Modification Requests containing QoS rules with empty packet-filter content using tools like `tcpdump` or `wireshark`.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves preventing the SMF from processing PDU Session Modification Requests that contain QoS rules with empty packet-filter content, as this triggers the crash.

Since the project has not yet responded with a fix, consider implementing input validation or filtering at the network edge or firewall to block malformed QoS rules.

Monitor the Open5GS project for updates or patches addressing this issue and plan to apply them as soon as they become available.

Additionally, ensure that your system has proper process supervision and automatic restart mechanisms to minimize downtime caused by crashes.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0