Open5GS Denial-of-Service Vulnerability in Policy Control Function

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7. The issue arises in the Policy Control Function (PCF) component, specifically within the 'pcf_npcf_smpolicycontrol_handle_delete' function of 'src/pcf/sm-sm.c'. The vulnerability allows for remote exploitation, where an attacker can disrupt the PCF session state by sending a 'GET' request to the '/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete' endpoint. This endpoint is intended to be accessed with a 'POST' request that includes a specific body, but the PCF incorrectly processes the 'GET' request as a delete operation. The resulting error is escalated into a state-machine exception, clearing the entire session context.

Impact

Exploitation of this vulnerability disrupts the PCF session state, causing it to clear the session context for the affected user.

Reproduction

To reproduce this vulnerability, send a 'GET' request to the '/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete' endpoint. This request should be made after creating an application session for the same user. The 'GET' request will be processed by the delete handler, which expects a 'SmPolicyDeleteData' body. Since the body is missing, the request will fail, but the failure will trigger a state-machine exception that clears the PCF session context. This can be verified by attempting to access the application session again, which will result in a '404 Not Found' error, indicating that the session has been cleared.