| عنوان | UERANSIM 3.2.7 DoS via Malformed RLS Packet (CWE-248) |
|---|
| الوصف | A vulnerability in UERANSIM v3.2.7 allows a remote Denial of Service (DoS) against the simulated gNodeB process (nr-gnb) by sending a malformed RLS (Radio Link Simulation) UDP packet to the gNB’s RLS listener (UDP port 4997, cons::RadioLinkPort). The issue is triggered in the RLS decode path when the packet’s declared PDU length is inconsistent with the actual datagram size. In rls::DecodeRlsMessage() (src/lib/rls/rls_pdu.cpp), the decoder reads pduLength while handling an RLS PDU_TRANSMISSION message (msgType=0x06) and calls OctetView::readOctetString(pduLength) (src/utils/octet_view.cpp). When index + pduLength > size, readOctetString() throws std::out_of_range("Invalid arguments for readOctetString"). Because the gNB receive loop (RlsUdpTask::onLoop() in src/gnb/rls/udp_task.cpp) does not catch exceptions around DecodeRlsMessage(), the exception propagates to the top level and the runtime calls std::terminate(), crashing nr-gnb (observed message: terminate called after throwing an instance of 'std::out_of_range' / what(): Invalid arguments for readOctetString).
Attack preconditions are minimal: the attacker only needs UDP reachability to the gNB RLS IP/port; no authentication or prior session establishment is required at the RLS layer. In practical deployments (e.g., Kubernetes-based testbeds or shared lab networks), any co-tenant/rogue host with L3 access to the gNB can deliver the UDP payload. The impact is complete loss of availability of the gNB process; all UEs attached to that gNB lose connectivity until the gNB is restarted (and repeated packets can force repeated crashes).
This behavior is related to CVE-2024-37877 (malformed RLS PDU length in DecodeRlsMessage/readOctetString), but in v3.2.7 the bounds check exists and results in an uncaught exception leading to a deterministic crash (CWE-248: Uncaught Exception). Additional robustness concerns remain in the same parsing area (e.g., truncated RLS packets and unbounded PDU_TRANSMISSION_ACK count handling), but the primary confirmed vector is the PDU_TRANSMISSION malformed length causing std::out_of_range → std::terminate.
Disclosure coordination: The reporter is contacting the UERANSIM maintainer(s) to report this issue responsibly and is willing to provide reproduction details privately (logs, minimal PoC, and test procedure) to support triage and a coordinated disclosure timeline; public PoC details will be withheld until a fix is available. |
|---|
| المستخدم | 0wln3d (UID 96662) |
|---|
| ارسال | 08/04/2026 04:02 PM (2 أشهر منذ) |
|---|
| الاعتدال | 27/04/2026 11:56 AM (19 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 359784 [aligungr UERANSIM حتى 3.2.7 Radio Link Simulation Layer src/lib/rls/rls_pdu.cpp rls::DecodeRlsMessage pduLength الحرمان من الخدمة] |
|---|
| النقاط | 17 |
|---|