Open5GS Denial-of-Service Vulnerability in GTPv2-C Flow Handler

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6. The issue arises in the GTPv2-C Flow Handler, specifically within the 'sgwc_s5c_handle_create_session_response' function of 'src/sgwc/s5c-handler.c'. When processing a manipulated GTPv2-C session setup flow, SGW-C can crash and generate a core dump. This occurs after the session context is established, but an error is encountered due to a missing GTP TEID. The process then aborts, triggered by an assertion failure related to PFCP FAR activation, which disrupts normal operations and availability. This vulnerability requires local exploitation and has a publicly available proof-of-concept exploit.

Impact

Exploitation of this vulnerability causes SGW-C to crash, aborting the process and generating a core dump. This abrupt termination disrupts service availability, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a crafted GTPv2-C Create Session Request that omits the necessary GTP TEID. This can be done using the public exploit available on GitHub, which automates the process of sending the malformed request to the SGW-C component. The SGW-C server will then crash and generate a core dump, demonstrating the denial-of-service condition.

Remediation

Users are advised to update to the latest version of Open5GS, where this vulnerability has been fixed. The patch is available in the official Open5GS repository on GitHub.