Open5GS Denial-of-Service Vulnerability in SMF Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5, specifically within the SMF component. The issue arises in the 'smf_state_operational' function of 'src/smf/smf-sm.c', where improper handling of HTTP/2 stream states can lead to a crash. This vulnerability can be exploited remotely, particularly under conditions of limited memory availability, by causing the SMF to process closed or invalid streams. This flaw has been publicly disclosed and is actively being exploited.

Impact

Exploitation of this vulnerability causes the SMF process to crash, disrupting service for all users, even though the issue may only pertain to a single user context.

Reproduction

The vulnerability can be reproduced by deploying Open5GS SMF version 2.7.5 or earlier in a Docker container with strict memory limits. After starting all Network Function containers, initiate a PDU session release that triggers a stream closure, such as by sending a RST_STREAM, while the SMF is under memory pressure. This will cause the SMF to attempt to process the closed stream, leading to a fatal assertion failure and crashing the entire SMF process.

Remediation

Users are advised to upgrade to Open5GS version 2.7.6, which addresses this vulnerability. The patch is available on the Open5GS GitHub repository.