Open5GS SMF Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6. The issue arises in the SMF component, specifically within the function 'ogs_gtp2_parse_tft' in the file 'lib/gtp/v2/types.c'. The vulnerability can be exploited remotely by sending a Bearer Resource Command on the S5-C interface that includes a malformed Traffic Aggregate Description (TAD) IE, which is encoded using the Traffic Flow Template (TFT) format. The exploitation involves manipulating the 'pf[0].content.length' field to a large value, such as 255, while only providing a small amount of actual data. This causes the SMF's TFT parser to read beyond the available buffer, leading to an assertion failure that crashes the SMF process and causes a remote denial-of-service condition.

Impact

Exploitation of this vulnerability causes the SMF process to crash, aborting the operation and disrupting service.

Reproduction

The vulnerability can be reproduced by sending a Bearer Resource Command with a crafted Traffic Aggregate Description that includes a packet filter content length set to a large value, such as 255, while only providing a small amount of actual content. This can be done using a Go program that utilizes the 'github.com/wmnsk/go-gtp' library to create and send the malicious GTP message over UDP to the SMF's GTP-C port.