Open5GS SGWC Assertion Failure Vulnerability in Bearer Management Function

A denial-of-service vulnerability has been identified in Open5GS versions prior to 2.7.6. The issue arises in the SGW-C component, specifically within the bearer management function 'sgwc_bearer_add' in 'src/sgwc/context.c'. When the bearer pool is exhausted, the function fails to allocate a new bearer and returns a NULL value. However, instead of handling this failure gracefully, the code asserts that the bearer is valid, leading to a crash. This vulnerability can be exploited remotely, without authentication, and has a public proof-of-concept exploit available.

Impact

Exploitation of this vulnerability causes the Open5GS SGW-C process to crash, terminating the service and disrupting any active sessions or operations.

Reproduction

The vulnerability can be reproduced by configuring Open5GS SGW-C with a limited bearer pool and then sending a high volume of Create Session Requests through the GTP-C protocol. This can be done using a Go program that simulates the behavior of a mobile network element (MME) by sending requests that exhaust the available bearers. Once the bearer pool limit is reached, the 'sgwc_bearer_add' function will attempt to allocate a new bearer, fail, and trigger the assertion, causing SGW-C to crash.

Remediation

Users can upgrade to Open5GS version 2.7.6 or later, where this issue has been fixed.