Source: cna@vuldb.com
A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue.
Open5GS versions up to 2.7.6 are vulnerable to a denial-of-service (DoS) attack due to a flaw in the GTPv2-C F-TEID handler. An attacker can trigger this vulnerability locally, potentially disrupting critical network services. This vulnerability has a publicly available exploit, increasing the risk of exploitation.
Step 1: Trigger Condition: The attacker must be able to send a crafted GTPv2-C Create Session Request message to the Open5GS instance. This requires local network access, meaning the attacker must be on the same network or have a foothold on a system within the network.
Step 2: Crafting the Payload: The attacker crafts a malicious GTPv2-C Create Session Request message. The specifics of the crafted message are not fully detailed in the CVE, but it likely involves manipulating the F-TEID parameters within the request. This could involve sending an invalid F-TEID, a large number of F-TEIDs, or a malformed F-TEID.
Step 3: Message Delivery: The attacker sends the crafted Create Session Request message to the Open5GS instance.
Step 4: Vulnerability Trigger: The sgwc_s11_handle_create_session_request function processes the malicious request. Due to the vulnerability, the processing of the malformed F-TEID data leads to a DoS condition. This could manifest as a crash of the Open5GS process, a resource exhaustion, or a hang.
Step 5: Denial of Service: The Open5GS instance becomes unavailable, disrupting network services.
The vulnerability resides within the sgwc_s11_handle_create_session_request function in src/sgwc/s11-handler.c. The root cause is likely a flaw in how the function handles GTPv2-C Create Session Request messages, specifically related to F-TEID processing. The description suggests a manipulation of the F-TEID data leads to a DoS. This could involve issues such as improper memory allocation, integer overflow, or resource exhaustion when processing the request. The patch 465273d13ba5d47b274c38c9d1b07f04859178a1 likely addresses the specific logic error causing the DoS, potentially by validating input parameters more rigorously or by implementing better resource management.
While no specific APTs or malware are explicitly mentioned in the CVE, the availability of a public exploit increases the likelihood of opportunistic exploitation by various threat actors. The local nature of the attack means that any attacker with local network access is a potential threat. CISA KEV status is not available for this CVE at this time.
Monitor network traffic for anomalous GTPv2-C Create Session Request messages, especially those with unusual F-TEID parameters (e.g., invalid values, excessive number of F-TEIDs).
Analyze Open5GS logs for error messages or crashes related to the sgwc_s11_handle_create_session_request function.
Implement intrusion detection systems (IDS) rules to identify and alert on suspicious GTPv2-C traffic patterns.
Monitor system resource usage (CPU, memory, disk I/O) on the Open5GS server for sudden spikes or exhaustion, which could indicate a DoS attack.
Apply the patch 465273d13ba5d47b274c38c9d1b07f04859178a1 to remediate the vulnerability.
Upgrade Open5GS to a version that includes the fix for this vulnerability (likely 2.7.7 or later).
Implement network segmentation to restrict access to the Open5GS instance to only trusted devices and networks.
Regularly monitor Open5GS logs for suspicious activity and errors.
Implement input validation to ensure that all GTPv2-C messages, especially those related to F-TEIDs, are properly formatted and within acceptable ranges.
Consider rate-limiting GTPv2-C Create Session Request messages to mitigate potential DoS attacks.