Open5GS AUSF Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions prior to 2.7.7, specifically within the AUSF component. The issue arises in the 'ogs_timer_add' function of the 'nausf-handler.c' library. This vulnerability allows for remote exploitation, where an attacker can exhaust the timer pool by sending repeated confirmation requests, causing the AUSF to crash. The vulnerability has been publicly disclosed and is available for exploitation.

Impact

Exploitation of this vulnerability leads to a crash of the AUSF component, causing it to exit with a code indicating a segmentation fault.

Reproduction

The vulnerability can be reproduced by creating a valid authentication context and then sending repeated 'PUT' requests to the '/nausf-auth/v1/ue-authentications/{authCtxId}/5g-aka-confirmation' endpoint. This should be done while keeping the UDM's 'POST /nudm-ueau/v1/{supi}/auth-events' endpoint hanging, which allows the confirmation requests to accumulate and exhaust the timer pool, causing AUSF to crash.