Open5GS Reachable Assertion Vulnerability in QER/FAR/URR/PDR Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5. The issue arises in the QER/FAR/URR/PDR component, specifically within the 'lib/pfcp/context.c' library. The vulnerability is triggered when the 'ogs_pfcp_pdr_find_or_add', 'ogs_pfcp_far_find_or_add', 'ogs_pfcp_urr_find_or_add', or 'ogs_pfcp_qer_find_or_add' functions are called. During PFCP Session Establishment, the User Plane Function (UPF) automatically allocates a Quality of Experience (QER) object whenever a CreatePDR references a QER-ID, even if no CreateQER instruction was provided. This process is managed through an assertion that can be exploited remotely, leading to a process termination. The vulnerability has been publicly disclosed and is available for exploitation.

Impact

Exploitation of this vulnerability causes the Open5GS UPF process to crash, terminating all active user-plane sessions and creating a remote denial-of-service condition.

Reproduction

The vulnerability can be reproduced by initiating a PFCP Session Establishment request that includes more than four PDRs, each referencing a unique QER-ID, without supplying corresponding CreateQER definitions. This can be done using a crafted Go program that sends the malicious PFCP message over UDP to the Open5GS UPF endpoint.

Remediation

Users are advised to update to Open5GS version 2.7.6 or later, where this vulnerability has been fixed.