Open5GS Denial-of-Service Vulnerability in GTPv2 Bearer Response Handling

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6. The issue arises in the GTPv2 Bearer Response Handler component, where the application crashes upon receiving a late Create Bearer Response. This occurs after the relevant user equipment or session context has been removed, triggering an assertion failure that terminates the control-plane process. The vulnerability can be exploited remotely, without authentication, by sending a crafted GTPv2 message that takes advantage of the timing and context management within the SGW-C process.

Impact

Exploitation of this vulnerability leads to a crash of the SGW-C process, causing a disruption in the control-plane operations of the Open5GS core network component.

Reproduction

The vulnerability can be reproduced by sending a late Create Bearer Response message on the S11 interface, after the associated user equipment or session context has been cleared. This can be done using a proof-of-concept tool that automates the process, available on GitHub.

Remediation

Users are advised to update to the latest version of Open5GS, where this vulnerability has been addressed.