Open5GS Memory Corruption Vulnerability in MME Component

A memory corruption vulnerability has been identified in Open5GS versions through 2.7.6, specifically within the MME component. The issue arises in the file '/src/mme/esm-build.c', where the PDN Address Allocation (PAA) Information Element (IE) length can be manipulated. This vulnerability allows an attacker to send a forged CreateSessionResponse over the S11 interface, causing the MME to crash. The exploitation process involves overwriting memory by exploiting the lack of proper bounds validation on the PAA IE length, leading to a segmentation fault and a remote denial-of-service condition.

Impact

Exploitation of this vulnerability causes the Open5GS MME process to crash, terminating the session management function and disrupting ongoing operations.

Reproduction

The vulnerability can be reproduced by sending a CreateSessionResponse with an oversized PAA IE length to the MME over the S11 interface. This can be done using a custom Go program that mocks the SGW response, after initiating a session request from the MME.