Open5GS Denial-of-Service Vulnerability via Crafted PDU Session Modification Request

A denial-of-service vulnerability exists in Open5GS version 2.7.3. A remote attacker can exploit this issue by sending a crafted PDU Session Modification Request, which leads to an assertion failure in the session management function. The vulnerability arises because the function improperly handles Quality of Service (QoS) flows, particularly Non-Guaranteed Bit Rate (Non-GBR) flows, causing the modification request to fail.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by disrupting the PDU session modification process, leading to assertion failures and potential crashes of the session management component.

Reproduction

To reproduce this vulnerability, perform the following steps: 1. Power on the User Equipment (UE) and complete the 5G registration with the Open5GS Access and Mobility Management Function (AMF) and Session Management Function (SMF). 2. Establish a PDU session (Session ID 1) and verify its successful setup. 3. Request a second PDU session (Session ID 3) and confirm its establishment. 4. Send a PDU Session Modification Request for Session ID 3, including a QoS rule that specifies 5QI = 9. This request will fail, triggering the assertion failure and causing a denial-of-service condition.

Remediation

Users are advised to update to the latest version of Open5GS, where this issue has been addressed.