Source: cna@vuldb.com
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function ogs_gtp2_parse_bearer_qos in the library lib/gtp/v2/types.c of the component Bearer QoS IE Length Handler. Performing manipulation results in denial of service. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is named 4e913d21f2c032b187815f063dbab5ebe65fe83a. To fix this issue, it is recommended to deploy a patch.
Open5GS versions up to 2.7.6 are vulnerable to a Denial of Service (DoS) attack due to a flaw in the Bearer QoS IE Length Handler. An attacker with local network access can trigger a crash by sending a crafted GTPv2 message, rendering the service unavailable. This vulnerability is publicly known and has a published patch, increasing the risk of exploitation.
Step 1: Network Access: The attacker must have local network access to the Open5GS deployment, allowing them to send GTPv2 messages.
Step 2: Crafting the Malicious Packet: The attacker crafts a GTPv2 message containing a Bearer QoS IE with a maliciously crafted length field. This field is designed to be larger than the allocated buffer for the QoS IE.
Step 3: Packet Delivery: The attacker sends the crafted GTPv2 message to the Open5GS instance.
Step 4: Vulnerability Trigger: The ogs_gtp2_parse_bearer_qos function processes the malicious message. Due to the lack of proper bounds checking, the function attempts to read beyond the allocated memory buffer when accessing the QoS IE data.
Step 5: Denial of Service: The out-of-bounds read or write causes a crash, leading to a denial of service condition, rendering the Open5GS service unavailable.
The vulnerability resides within the ogs_gtp2_parse_bearer_qos function in lib/gtp/v2/types.c. The root cause is likely an improper handling of the Bearer QoS Information Element (IE) length field within GTPv2 messages. Specifically, the code fails to adequately validate the length of the QoS IE before attempting to process it. This could lead to an out-of-bounds read or write, potentially causing a buffer overflow or other memory corruption issues. The crafted message likely provides a maliciously crafted length value, causing the function to read beyond the allocated memory buffer, leading to a crash. The patch 4e913d21f2c032b187815f063dbab5ebe65fe83a likely addresses this by implementing proper bounds checking on the length field before accessing the QoS IE data.
While no specific APTs are directly linked to this CVE, the public availability of the exploit and the nature of the vulnerability (DoS) make it attractive to various threat actors. CISA KEV status is unknown at this time, but the public PoC and potential for disruption warrant immediate attention.
Monitor network traffic for GTPv2 messages with unusually large or malformed Bearer QoS IE length fields.
Analyze crash logs and core dumps for evidence of memory corruption or segmentation faults within the ogs_gtp2_parse_bearer_qos function.
Implement intrusion detection systems (IDS) rules to identify and alert on suspicious GTPv2 traffic patterns.
Monitor system resource usage (CPU, memory) for sudden spikes or sustained high utilization, which could indicate a DoS attack.
Review network logs for suspicious activity originating from internal networks.
Apply the patch 4e913d21f2c032b187815f063dbab5ebe65fe83a immediately to all affected Open5GS instances.
Implement network segmentation to restrict access to the Open5GS infrastructure.
Regularly update Open5GS to the latest stable version.
Monitor network traffic and system logs for suspicious activity.
Implement rate limiting on GTPv2 traffic to mitigate potential DoS attacks.
Consider deploying a Web Application Firewall (WAF) or other security appliances to filter malicious traffic.