| 제목 | Open5GS <=v2.7.5 Denail of Service |
|---|
| 설명 | A denial-of-service (DoS) vulnerability exists in Open5GS SMF (version v2.7.5 and earlier), caused by improper validation of SBI stream state under resource-constrained conditions during PDU session release.
This issue is triggered when the SMF operates under strict memory limits, and an HTTP/2 stream (used for SBI communication) has already been closed — for example, after receiving a RST_STREAM from a peer NF. Despite the stream being invalid, the SMF proceeds to process the event without checking the stream's state, leading to a fatal assertion failure in the function smf_state_operational().
Instead of handling the situation gracefully — by skipping the event or logging an error — the SMF crashes on the assertion assert(stream), resulting in termination of the entire SMF process, even though the failure is tied to a single UE context.
A remote attacker could potentially exploit this vulnerability by simulating high churn (frequent PDU session releases) under load, triggering stream closures and causing the SMF to repeatedly crash.
CVSS v4.0 Base Score
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H
Base Score: 8.8(High) |
|---|
| 원천 | ⚠️ https://github.com/open5gs/open5gs/issues/3978 |
|---|
| 사용자 | lixxxiang (UID 88572) |
|---|
| 제출 | 2025. 07. 31. AM 07:57 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 08. 09. AM 09:21 (9 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 319330 [Open5GS 까지 2.7.5 SMF src/smf/smf-sm.c smf_state_operational stream 서비스 거부] |
|---|
| 포인트들 | 20 |
|---|