Open5GS SMF Assertion Failure Vulnerability in Create PDP Context Request Handling

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6, specifically within the SMF component. The issue arises in the function responsible for handling GTPv1-C CreatePDPContextRequest messages. When the End User Address (EUA) Information Element is omitted, the request can still pass initial mandatory checks. However, the handler later attempts to access the EUA without verifying its presence, leading to a failed assertion. This flaw causes the SMF process to crash, disrupting service on the Gn interface.

Impact

Exploitation of this vulnerability causes the SMF process to terminate abruptly, leading to a service interruption on the Gn interface.

Reproduction

The vulnerability can be reproduced by sending a GTPv1-C CreatePDPContextRequest that excludes the End User Address Information Element. This can be done using a crafted UDP message that bypasses initial mandatory checks, allowing the request to be processed until it triggers the assertion failure. The SMF logs will indicate the crash caused by the missing EUA.