Open5GS PFCP Library Buffer Overflow Vulnerability in SMF and UPF

A buffer overflow vulnerability has been identified in the Open5GS PFCP library, specifically in versions through 2.7.2. The issue arises in the 'ogs_pfcp_subnet_add' function, which is utilized by the Session Management Function (SMF) and User Plane Function (UPF). The vulnerability allows local attackers to overflow buffers by manipulating the 'session.dnn' field with excessively long values, exceeding 101 characters. This overflow can overwrite adjacent memory, potentially leading to arbitrary code execution or causing the application to crash.

Impact

Exploitation of this vulnerability causes a buffer overflow, which can lead to memory corruption. In many cases, such memory corruption can be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending a configuration file that includes a 'dnn' value longer than 101 characters. This can be done by manually editing the configuration file used by the Open5GS SMF or UPF components. After applying the configuration, the buffer overflow can be verified by observing the overwritten 'fd' and 'num_of_range' fields in the modified source code, which can be compiled and run to demonstrate the issue.

Remediation

Users can upgrade to Open5GS version 2.7.3 or later, where this vulnerability has been fixed.