Source: cna@vuldb.com
A weakness has been identified in Open5GS up to 2.7.6. Affected by this issue is the function sgwc_s5c_handle_create_session_response of the file src/sgwc/s5c-handler.c of the component GTPv2-C Flow Handler. Executing a manipulation can lead to denial of service. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. This patch is called 5aaa09907e7b9e0a326265a5f08d56f54280b5f2. It is advisable to implement a patch to correct this issue.
Open5GS versions up to 2.7.6 are vulnerable to a denial-of-service (DoS) attack. This vulnerability, located in the GTPv2-C Flow Handler, can be triggered locally, potentially disrupting critical network services. A publicly available exploit exists, increasing the risk of exploitation.
Step 1: Triggering the Vulnerability: A malicious actor, with local access to the Open5GS deployment, crafts a specially designed GTPv2-C Create Session Response message.
Step 2: Message Injection: The crafted message is sent to the sgwc process, targeting the S5-C interface.
Step 3: Function Execution: The sgwc_s5c_handle_create_session_response function processes the malicious message.
Step 4: Exploitation: The crafted message triggers the vulnerability, leading to a crash or resource exhaustion within the sgwc process.
Step 5: Denial of Service: The crash of sgwc results in a denial of service, disrupting network connectivity and potentially impacting other network services dependent on Open5GS.
The vulnerability resides within the sgwc_s5c_handle_create_session_response function in src/sgwc/s5c-handler.c. The root cause likely involves improper handling of GTPv2-C messages, specifically the Create Session Response. The flaw could be a memory corruption issue, such as an integer overflow or an uncontrolled resource allocation, triggered by crafted GTPv2-C messages. This leads to a crash of the sgwc process, resulting in a DoS. The patch 5aaa09907e7b9e0a326265a5f08d56f54280b5f2 likely addresses the specific flaw by validating input data or properly managing memory allocation.
While no specific APTs are directly linked to this CVE at this time, the public availability of the exploit makes it attractive to various threat actors. This vulnerability is not yet listed on the CISA KEV catalog, but it is a candidate due to its potential impact.
Monitor network traffic on the S5-C interface for unusual GTPv2-C Create Session Response messages, especially those with malformed or unexpected fields.
Analyze sgwc process logs for crash events, segmentation faults, or other error messages related to the sgwc_s5c_handle_create_session_response function.
Implement intrusion detection system (IDS) rules to identify and alert on suspicious GTPv2-C traffic patterns.
Monitor system resource usage (CPU, memory) of the sgwc process for sudden spikes or exhaustion.
Apply the official patch (5aaa09907e7b9e0a326265a5f08d56f54280b5f2) to update Open5GS to a patched version.
Implement input validation on the S5-C interface to filter out malformed or suspicious GTPv2-C messages.
Restrict access to the S5-C interface to only authorized network elements.
Regularly update Open5GS to the latest stable version to address any other potential vulnerabilities.
Implement monitoring and alerting on the sgwc process to detect and respond to crashes or resource exhaustion.