Open5GS Denial-of-Service Vulnerability in Bearer QoS Length Handling

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6. The issue arises in the SGW-C component when processing GTPv2 Create Session Requests that contain malformed Bearer Quality of Service (QoS) Information Elements (IEs). Specifically, the vulnerability is located in the function 'ogs_gtp2_parse_bearer_qos' within the file 'lib/gtp/v2/types.c'. The problem occurs because the SGW-C handler fails to validate the length of the Bearer QoS IE before passing it to the parsing function, which includes a hard assertion that triggers a process abort if the length is incorrect. This flaw has been publicly disclosed and exploited, leading to crashes of the Open5GS SGW-C daemon and a denial-of-service condition for all connected users.

Impact

Exploitation of this vulnerability causes the Open5GS SGW-C daemon to crash, aborting the process and dumping core. This behavior disrupts service for all connected users, creating a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a GTPv2 Create Session Request that includes a Bearer QoS Information Element with an invalid length. This can be done using a crafted UDP packet that simulates the GTPv2 message. The Open5GS SGW-C component must be running and the packet should be sent to the appropriate GTP control plane port.

Remediation

Users are advised to update to the latest version of Open5GS, where this vulnerability has been fixed. The patch can be applied by downloading the updated version from the Open5GS GitHub repository.