A vulnerability was identified in Open5GS up to 2.7.6. Affected is the function sgwc_s11_handle_create_session_request of the file src/sgwc/s11-handler.c of the component GTPv2-C F-TEID Handler. Such manipulation leads to denial of service. The attack must be carried out locally. The exploit is publicly available and might be used. The name of the patch is 465273d13ba5d47b274c38c9d1b07f04859178a1. A patch should be applied to remediate this issue.
Open5GS versions up to 2.7.6 are vulnerable to a denial-of-service (DoS) attack due to a flaw in the GTPv2-C F-TEID handler. An attacker can trigger this vulnerability locally, potentially disrupting critical network services. Publicly available exploits increase the risk of widespread disruption.
Step 1: Trigger Preparation: The attacker prepares a crafted GTPv2-C Create Session Request message. This message will contain malicious data designed to exploit the vulnerability.
Step 2: Message Delivery: The attacker sends the crafted Create Session Request message to the Open5GS SGWC (Serving Gateway Control Plane).
Step 3: Function Execution: The sgwc_s11_handle_create_session_request function processes the malicious message.
Step 4: Vulnerability Trigger: The crafted input causes the function to enter an error state, likely due to a memory management issue or resource exhaustion.
Step 5: Denial of Service: The error condition leads to the SGWC crashing or becoming unresponsive, resulting in a DoS.
The vulnerability resides within the sgwc_s11_handle_create_session_request function in src/sgwc/s11-handler.c. The root cause is likely a flaw in how the function handles GTPv2-C Create Session Request messages, specifically related to the processing of F-TEID (Fully Qualified Tunnel Endpoint Identifier) information. The vulnerability could be due to improper input validation, leading to a resource exhaustion condition or a crash. The provided patch 465273d13ba5d47b274c38c9d1b07f04859178a1 suggests a fix, but without further details, it's difficult to pinpoint the exact nature of the flaw. It's likely a memory management issue, such as a memory leak, null pointer dereference, or an issue related to resource allocation that leads to the DoS.