Open5GS Buffer Over-Read Vulnerability in VoLTE Cx-Test Component

A stack-based buffer over-read vulnerability has been identified in Open5GS versions through 2.7.6. The issue arises in the VoLTE Cx-Test component, specifically within the 'hss_ogs_diam_cx_mar_cb' function of 'src/hss/hss-cx-path.c'. The vulnerability is caused by logging the 'ak' buffer using 'OGS_KEY_LEN', while the buffer is allocated with 'OGS_AK_LEN'. This mismatch leads to a stack buffer over-read during logging, which could cause instability or information leakage. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability leads to a stack-based buffer over-read, where the 'ak' variable is accessed beyond its allocated memory. This over-read is logged, creating a potential for information leakage. Such buffer over-read conditions can commonly be exploited to execute arbitrary code or cause a denial-of-service by crashing the application.

Reproduction

The vulnerability can be reproduced by compiling Open5GS with Address Sanitizer enabled, which will detect the buffer over-read issue. After compiling the application, the VoLTE Cx-Test can be executed, which will trigger the vulnerability by logging the 'ak' buffer with the incorrect length, causing the Address Sanitizer to report a stack-buffer-over-read error.

Remediation

Users are advised to update to the patched version of Open5GS. The patch is available in the official Open5GS GitHub repository.