Open5GS SGWC Assertion Failure Vulnerability in Tunnel Management Function

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.6, specifically within the SGWC component. The issue arises in the 'sgwc_tunnel_add' function, located in '/src/sgwc/context.c'. The vulnerability can be exploited remotely by manipulating the 'pdr' argument, leading to a reachable assertion failure. This exploitation causes the application to crash, disrupting service availability.

Impact

Exploitation of this vulnerability causes a crash in the SGWC component, leading to a denial-of-service condition where the application is terminated and unavailable until restarted.

Reproduction

The vulnerability can be reproduced by sending a sequence of GTPv2-C messages that overload the tunnel management system. This is done by first establishing multiple bearer contexts through 'CreateSessionRequest' messages. Then, 'CreateIndirectDataForwardingTunnelRequest' messages are sent, repeatedly using the same bearer contexts, to exhaust the available PDR IDs. Once the PDR ID pool is depleted, the 'sgwc_tunnel_add' function fails an assertion check, causing a crash. This process can be automated with a provided proof-of-concept exploit, which simulates the necessary GTPv2-C message exchanges to trigger the vulnerability.

Remediation

Users are advised to update to the patched version of Open5GS, which is available in the official repository.