Open5GS SGWC Null Pointer Dereference Vulnerability in PGW S5U Address Handling

A null pointer dereference vulnerability has been identified in Open5GS versions prior to 2.7.6. This issue arises in the SGW-C component when handling Modify Bearer Response messages from the PGW S5U Address Handler. The vulnerability can be exploited remotely, leading to a denial-of-service condition by causing the SGW-C process to crash. The issue occurs because the PGW S5U tunnel address is not properly initialized, causing an assertion failure when the SGW-C attempts to build a Create Session Response back to the MME.

Impact

Exploitation of this vulnerability causes the SGW-C process to crash, leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, send a Create Session Request with the Operation Indication (OI) flag set. This will trigger the SGW-C to send a Modify Bearer Request to the PGW. If the subsequent Modify Bearer Response does not include the necessary PGW S5U tunnel address, SGW-C will crash when it tries to process the response and build a Create Session Response for the MME. This can be automated with a public exploit available on GitHub.

Remediation

Users are advised to update to Open5GS version 2.7.6 or later, where this vulnerability has been patched.