Open5GS SGWC Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6, specifically within the SGWC component. The issue arises in the 'sgwc_s5c_handle_modify_bearer_response' function of 'src/sgwc/s5c-handler.c'. When a 'ModifyBearerResponse' is received on the S5-C interface after the corresponding S11 transaction has timed out, the absence of a valid S11 transaction causes the application to crash. This vulnerability can be exploited remotely, leading to a process abort and a core dump, which disrupts service.

Impact

Exploitation of this vulnerability causes the Open5GS SGWC process to crash, aborting any active sessions and disrupting service.

Reproduction

The vulnerability can be reproduced by simulating the behavior of a Mobile Management Entity (MME) and a Packet Gateway (PGW) to control the timing of messages sent to the SGWC. After establishing a session and creating an S11 transaction, the S11 response can be delayed until after the transaction times out. When the expired 'ModifyBearerResponse' is sent, the SGWC crashes due to the missing S11 transaction, demonstrating the denial-of-service condition.

Remediation

Users are advised to update to Open5GS version 2.7.7 or later, where this vulnerability has been fixed.