Open5GS SMF Denial-of-Service Vulnerability via Malformed QoS Rules in PDU Session Establishment

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the Session Management Function (SMF) component. The issue arises in the 'gsm_build_pdu_session_establishment_accept' function, located in 'src/smf/gsm-build.c'. The vulnerability can be exploited remotely by sending a crafted HTTP response that includes malformed base64-encoded Quality of Service (QoS) rules. This exploitation causes the SMF process to crash, as the software fails to properly handle the error, leading to an assertion failure and termination of the process.

Impact

Exploitation of this vulnerability causes the SMF process to crash, aborting all ongoing transactions and disrupting service.

Reproduction

To reproduce this vulnerability, set up a fake H-SMF server that responds to PDU session creation requests with a 201 status, including invalid QoS rules in the response. When the SMF processes this response, the malformed QoS rules will cause an assertion failure, leading to a crash.