Open5GS CreateBearerRequest Assertion Vulnerability in SGW-C Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6. The issue arises in the SGW-C component when handling CreateBearerRequest messages. If the session state is initially corrupted by a malformed CreateSessionResponse from the PGW, which includes an invalid PDN Address Allocation (PAA), subsequent control-plane procedures can lead SGW-C into unintended fatal error branches. This vulnerability is triggered by the CreateBearerRequest handler, which encounters an assertion that should not be reached, causing the application to crash.

Impact

Exploitation of this vulnerability leads to a crash of the Open5GS SGW-C process, causing a denial-of-service condition on the affected component.

Reproduction

The vulnerability can be reproduced by sending a CreateSessionResponse that includes an invalid PDN type, which disrupts the session state. Following this, a CreateBearerRequest can be sent, which will trigger the assertion and cause the application to crash.

Remediation

Users are advised to update to Open5GS versions 2.7.7 or later, where this issue has been fixed.