Open5GS Denial-of-Service Vulnerability via SUPI Validation Issue

A denial-of-service vulnerability has been identified in Open5GS version 2.7.2. The issue arises in the 'ogs_dbi_auth_info' function within 'lib/dbi/subscription.c', where the application crashes when a malformed SUPI (Subscription Permanent Identifier) is processed. This occurs because the function fails to validate the SUPI format before extraction, leading to assertion failures and application termination.

Impact

Exploitation of this vulnerability causes the Open5GS User Data Repository (UDR) component to crash, disrupting service and potentially leading to a loss of data continuity.

Reproduction

The vulnerability can be reproduced by sending a malformed SUPI value, such as 'imsiMALFORMED', to the '/nudr-dr/v1/subscription-data/imsiMALFORMED/authentication-data/authentication-subscription' endpoint of the Nudr_DataRepository API. This can be done using a crafted HTTP request that bypasses the normal validation checks, such as through a custom 'cargo' project that utilizes the 'solicit' library to send the payload. Once the malformed SUPI is processed, the UDR crashes, as indicated by the error logs.

Remediation

Users can update to the latest version of Open5GS, where this vulnerability has been addressed. Instructions for updating can be found in the Open5GS documentation.