| Título | Open5GS <= v2.7.5 Denial of Service |
|---|
| Descrição | A denial-of-service vulnerability has been discovered in Open5GS SMF (version v2.7.5 and earlier), which causes the SMF process to crash unexpectedly during PDU session management. The vulnerability is triggered when the SMF receives a malformed or unrecognized SBI API request to the namf-comm endpoint during the PFCP session deletion phase (smf_gsm_state_wait_pfcp_deletion).
The invalid service name (namf-comm) is not handled correctly by the SMF's internal finite state machine, resulting in the process reaching an undefined execution path. A fatal assertion is raised in the gsm-sm.c logic, leading to an abrupt termination of the SMF daemon (smfd). Once triggered, this crash prevents the completion of session establishment or release and disrupts all affected UE connectivity.
This issue can be remotely triggered without authentication and does not require user interaction. While it does not compromise data confidentiality or integrity, the attack has a high impact on network service availability, rendering the SMF inoperable until manually restarted.
Based on the CVSS v4.0 scoring vector(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H)this vulnerability is rated High severity. It is remotely exploitable over the network, requires no privileges or user interaction, and has a low attack complexity. While it does not compromise confidentiality or integrity, it causes a significant disruption to service availability, particularly impacting the core session management function of the 5G network. |
|---|
| Fonte | ⚠️ https://github.com/open5gs/open5gs/issues/4000 |
|---|
| Utilizador | xiaohan zheng (UID 88539) |
|---|
| Submissão | 31/07/2025 08h16 (há 9 meses) |
|---|
| Moderação | 09/08/2025 09h43 (9 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 319334 [Open5GS até 2.7.5 SMF src/smf/gsm-sm.c smf_gsm_state_wait_pfcp_deletion Negação de Serviço] |
|---|
| Pontos | 20 |
|---|