Open5GS SMF Denial-of-Service Vulnerability via PDU Session Modification Request

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the SMF component. The issue arises in the 'gsm_handle_pdu_session_modification_qos_flow_descriptions' function, located in 'src/smf/gsm-handler.c'. The vulnerability can be exploited remotely by manipulating the 'n1SmMsg' argument to include an invalid bitrate unit, causing the SMF process to crash. This issue has been publicly disclosed, and a pull request to address it is pending acceptance.

Impact

Exploiting this vulnerability leads to a crash of the SMF process, causing it to exit unexpectedly and disrupting service.

Reproduction

The vulnerability can be reproduced by sending a PDU Session Modification Request that includes a 'requested_qos_flow_descriptions' parameter with an invalid bitrate unit. This can be done using a crafted multipart request that simulates the modification request process. The SMF process will crash upon receiving the invalid unit, exiting with a code that indicates a fatal error.

Remediation

Users can update to Open5GS version 2.7.8 or later, where this vulnerability has been fixed.