Open5GS UPF Resource Consumption Vulnerability via Abusive GTP-U Traffic

A resource consumption vulnerability has been identified in Open5GS versions prior to 2.7.7, specifically within the User Plane Function (UPF) component. The issue arises in the GTPv1-U receive callback function, where improper handling of GTP-U Echo Requests and G-PDUs with invalid or unknown TEIDs can lead to significant user-plane performance degradation. This vulnerability allows for latency inflation and increased packet loss on legitimate traffic, creating a disruptive impact on timely data and control flows. The problem can be exploited remotely by sending a sustained stream of abusive GTP-U traffic to the UPF endpoint, interleaving Echo Requests with G-PDUs referencing invalid TEIDs, which triggers a resource-intensive error-handling process on the hot path of the data stream.

Impact

Exploitation of this vulnerability causes severe degradation of user-plane performance, characterized by increased latency and packet loss on legitimate traffic, while GTP sessions may appear to remain active. This behavior can disrupt timely control and data exchanges, rendering the user plane effectively unusable for critical communications.

Reproduction

The vulnerability can be reproduced by establishing a baseline of normal user-plane traffic through the UPF, such as ICMP pings or steady UDP flows between user equipment. Once this baseline is established, a sustained stream of GTP-U Echo Requests and G-PDUs with invalid TEIDs can be sent to the UPF's GTP-U endpoint. While this abusive traffic is ongoing, the impact on the legitimate traffic can be measured, typically showing a significant increase in latency and packet loss.