Open5GS Assertion Failure in SGW-C Component via Invalid Bearer ID

An assertion failure vulnerability has been identified in Open5GS versions through 2.7.6. This issue occurs in the SGW-C component, specifically within the 'sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request' function. The vulnerability can be triggered by sending a GTPv2-C Create Indirect Data Forwarding Tunnel Request on the S11 interface, using an invalid EPS Bearer ID (EBI) that does not match any existing bearer in the session. This exploitation leads to a process crash, causing a denial-of-service condition on the control plane. The vulnerability can be exploited remotely, without any authentication requirements.

Impact

Exploitation of this vulnerability causes the Open5GS SGW-C process to crash, leading to a denial-of-service condition where the service becomes unavailable.

Reproduction

The vulnerability can be reproduced by sending a Create Indirect Data Forwarding Tunnel Request with an invalid EBI to an Open5GS SGW-C instance. This can be done using a crafted Go program that simulates the request. The program must be configured to send the request to the SGW-C's S11 interface, with an EBI value that does not correspond to any existing bearer in the session. Once the request is sent, the SGW-C process will crash due to the assertion failure, demonstrating the vulnerability.