Open5GS Denial-of-Service Vulnerability in Authentication-Subscription Endpoint

A denial-of-service vulnerability has been identified in Open5GS versions prior to 2.7.7. The issue arises in the authentication-subscription endpoint, specifically within the udm_nudr_dr_handle_subscription_authentication function in the nudr-handler.c file. This vulnerability can be remotely exploited, leading to a crash of the User Data Management (UDM) service.

Impact

Exploitation of this vulnerability causes the UDM service to crash, disrupting its functionality and potentially affecting the overall service availability.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /nudm-ueau/v1/{supi}/security-information/generate-auth-data endpoint, including a resynchronization payload that references authentication data subscription. This payload should be crafted to exploit the state mismatch in the UDM's response handling, specifically by using a fresh SUPI that has not been properly initialized, which will trigger an assertion failure and cause the UDM process to abort.