Open5GS SGW-C Memory Corruption Vulnerability in Create Session Response Handling

A memory corruption vulnerability has been identified in Open5GS versions through 2.7.6, specifically within the SGW-C component's session management. The issue arises when a Create Session Response is received on the S5-C interface, containing a PDN Address Allocation (PAA) Information Element (IE) with a length that exceeds the expected size. This discrepancy allows for a buffer overflow, as the software fails to properly validate the length before processing the PAA data. The vulnerability can be exploited remotely, leading to a crash of the SGW-C process.

Impact

Exploitation of this vulnerability causes a segmentation fault in the SGW-C process, leading to a crash and a denial-of-service condition on the affected system.

Reproduction

The vulnerability can be reproduced by sending a Create Session Response with an oversized PAA length over the S5-C interface. This can be done using a crafted UDP packet that exploits the lack of bounds checking in the SGW-C's response handling function.