aligungr UERANSIM Radio Link Simulation Layer Uncaught Exception Vulnerability in RLS Message Decoder

A denial-of-service vulnerability has been identified in aligungr UERANSIM versions through 3.2.7. The issue arises in the Radio Link Simulation (RLS) layer, specifically within the function rls::DecodeRlsMessage in the file src/lib/rls/rls_pdu.cpp. The vulnerability is triggered by a malformed RLS packet that is sent to the gNodeB's RLS listener over UDP. The packet's declared PDU length can be manipulated to create a mismatch with the actual datagram size, leading to an uncaught exception. This exception propagates up the call stack, causing the gNodeB process to crash. The vulnerability can be exploited remotely, without authentication, by any host with UDP reachability to the gNodeB.

Impact

Exploitation of this vulnerability causes a crash of the gNodeB process, disrupting connectivity for all attached user equipment until the process is restarted. However, repeated attacks can cause ongoing disruptions.

Reproduction

To reproduce this vulnerability, send a malformed RLS PDU_TRANSMISSION message with an invalid PDU length to the gNodeB's RLS UDP listener on port 4997. The gNodeB will crash due to the uncaught exception caused by the invalid length.

Remediation

Upgrade to UERANSIM version 3.2.8, which includes a patch for this vulnerability.