Open5GS Out-of-Bounds Read Vulnerability in NF Component

A vulnerability allowing for an out-of-bounds read has been identified in Open5GS versions through 2.7.7. This issue resides in the NF component, specifically within the function 'ogs_sbi_client_send_via_scp_or_sepp' in the file 'lib/sbi/client.c'. The vulnerability can be exploited remotely, leading to a denial-of-service condition by causing the Open5GS UPF process to crash. This crash occurs when the system receives crafted or malformed GTP-U traffic on UDP port 2152, disrupting active PDU sessions.

Impact

Exploitation of this vulnerability causes the Open5GS UPF process to crash, indicated by a SIGSEGV signal, commonly seen as exit code 139 in container environments. This crash creates a user-plane outage for active PDU sessions.

Reproduction

To reproduce this vulnerability, first ensure that Open5GS UPF is running and has an active PDU session, which provides a valid TEID. Then, send sustained crafted or malformed GTP-U traffic to the UPF GTP-U endpoint on UDP port 2152. Monitor the UPF process for signs of a crash, such as a SIGSEGV signal or exit code 139.

Remediation

Users are advised to update to Open5GS version 2.7.8 or later, where this vulnerability has been patched.