A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch.
Open5GS versions up to 2.7.6 are vulnerable to a denial-of-service (DoS) attack due to a flaw in the ogs_gtp2_parse_bearer_qos function. This vulnerability, exploitable locally, allows attackers to crash the service by manipulating the Bearer QoS Information Element (IE) length, leading to a service outage. The exploit is publicly available, increasing the risk of widespread disruption.
Step 1: Target Identification: The attacker identifies a vulnerable Open5GS instance, specifically one running a version up to 2.7.6.
Step 2: Packet Crafting: The attacker crafts a malicious GTPv2 packet. This packet targets the ogs_gtp2_parse_bearer_qos function.
Step 3: Length Manipulation: The attacker modifies the length field within the Bearer QoS IE of the crafted GTPv2 packet. The manipulated length value is designed to cause an error during processing.
Step 4: Packet Injection: The attacker injects the crafted packet into the network, targeting the Open5GS instance. This requires local network access.
Step 5: Vulnerability Trigger: The Open5GS instance receives and attempts to parse the malicious packet. The ogs_gtp2_parse_bearer_qos function is invoked.
Step 6: Denial of Service: Due to the manipulated length, the function attempts to read or write beyond the allocated memory, leading to a crash of the Open5GS service and a denial of service.
The vulnerability lies within the ogs_gtp2_parse_bearer_qos function in lib/gtp/v2/types.c. The root cause is an improper handling of the Bearer QoS IE length. Specifically, the code fails to adequately validate the length field within the GTPv2 message. By crafting a malformed GTPv2 packet with a manipulated length field, an attacker can trigger an out-of-bounds read or write, leading to a crash. This could be a form of integer overflow or buffer over-read, causing the program to access invalid memory locations and terminate unexpectedly. The lack of proper input validation allows the attacker to control the size of the data read or written, leading to the DoS condition.