Open5GS PFCP Component Initialization Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5, specifically within the PFCP component. The issue arises in the function 'ogs_pfcp_handle_create_pdr' located in 'lib/pfcp/handler.c'. The vulnerability is triggered when the PFCP Session Establishment Request includes a zero-length F-TEID Information Element (IE) in the CreatePDR/PDI. This malformed input causes improper initialization, leading to a crash of the SGWU daemon. The vulnerability can be exploited remotely, without authentication, by sending a crafted PFCP message that includes the zero-length F-TEID.

Impact

Exploitation of this vulnerability causes the SGWU process to terminate unexpectedly, disrupting service and causing a crash.

Reproduction

The vulnerability can be reproduced by sending a PFCP Session Establishment Request that includes a CreatePDR/PDI with a zero-length F-TEID IE. This can be done using a Go program that crafts the appropriate PFCP message and sends it to the SGWU endpoint over UDP. The program must include the zero-length F-TEID and can be run with the 'node-ip' and 'dnn' parameters specified.

Remediation

Users are advised to update to the latest version of Open5GS, where this vulnerability has been fixed.