Open5GS SGWC Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6, specifically within the SGWC component. The issue arises in the function 'sgwc_s5c_handle_bearer_resource_failure_indication' in 'src/sgwc/s5c-handler.c'. When a 'BearerResourceFailureIndication' (GTPv2-C message type 69) is received on the S5-C interface after the corresponding S11 transaction has timed out, the absence of a valid S11 transaction causes the application to crash. This vulnerability can be exploited remotely by manipulating the timing of messages, leading to a crash of the Open5GS SGW-C process and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the Open5GS SGW-C process to crash, terminating the service and disrupting any active sessions or processes managed by the SGW-C component.

Reproduction

The vulnerability can be reproduced by sending a 'BearerResourceFailureIndication' message on the S5-C interface after the associated S11 transaction has expired. This can be done by first establishing a session and creating an S11 transaction, then allowing the S11 transaction to time out before sending the delayed S5-C indication. The process can be automated with a public proof-of-concept exploit available on GitHub.

Remediation

Users are advised to update to the patched version of Open5GS, which is available on the official GitHub repository.