Open5GS SMF Denial-of-Service Vulnerability via QoS Flow Profile Manipulation

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the SMF component. The issue arises in the function responsible for handling data updates, where the absence of a required QoS flow profile in the request leads to a null pointer dereference. This flaw causes the SMF process to crash, disrupting service. The vulnerability can be exploited remotely, and public exploit details are available.

Impact

Exploitation of this vulnerability causes the SMF process to crash, abruptly terminating the session management function and potentially disrupting ongoing operations.

Reproduction

The vulnerability can be reproduced by sending a VsmfUpdateData request to the SMF's PDU session modification endpoint, deliberately omitting the qosFlowProfile while including other QoS-related data. This request can be sent using a crafted payload that bypasses the initial validation checks, leading to a null dereference and causing the SMF process to crash.