Open5GS CCA Message Handler Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS version 2.7.6. The issue arises in the CCA Message Handler component, specifically within the 'smf_gx_cca_cb', 'smf_gy_cca_cb', and 'smf_s6b' functions. When a malicious Diameter peer sends a CCA message with an unknown or mismatched Session-ID, the session management function fails to find the session, leading to a process crash. This vulnerability allows for remote exploitation, causing the SMF process to terminate and disrupting all active user sessions.

Impact

Exploitation of this vulnerability causes the SMF process to crash, terminating the process and disrupting all active user sessions. The network remains unavailable until the SMF is restarted, at which point the crash can be repeated if the malicious peer is still connected.

Reproduction

The vulnerability can be reproduced by sending a Credit-Control-Answer (CCA) message with a fabricated Session-ID that does not match any existing session. This can be done using a proof-of-concept exploit that impersonates a legitimate Diameter peer and replies to Credit-Control-Requests (CCRs) with the malicious CCA messages. The SMF process will crash immediately upon receiving the malformed CCA, as the session lookup fails and triggers an assertion that leads to the process termination.