Open5GS Timer Resource Exhaustion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.5. The issue arises in the SGW-C component, specifically within the Timer Handler, where improper management of timer resources allows for excessive consumption. This vulnerability can be exploited remotely, without authentication, by sending a high volume of GTPv2 Create Session Request messages. As the SGW-C UE and session context pools become saturated, the application fails to allocate necessary timer resources, triggering fatal assertions that cause the service to crash and dump core. This behavior disrupts normal operations and service continuity.

Impact

Exploitation of this vulnerability causes the Open5GS SGW-C process to crash, leading to a denial-of-service condition where the service is abruptly terminated and unavailable until manually restarted.

Reproduction

The vulnerability can be reproduced by sending multiple GTPv2 Create Session Request messages to an Open5GS SGW-C instance. This can be done using a custom Go program that automates the process, gradually exhausting the UE and timer resource pools. The program can be configured to send requests at a rate of one every 10 milliseconds, with the option to rotate through different IMSI and EPS Bearer ID values to create multiple sessions per UE. Once the resource limits are reached, the SGW-C process will crash, demonstrating the denial-of-service condition.

Remediation

Users are advised to update to Open5GS version 2.7.6 or later, where this vulnerability has been fixed.