CVE-2021-41794 in Open5GS
Summary
by MITRE • 10/07/2021
ogs_fqdn_parse in Open5GS 1.0.0 through 2.3.3 inappropriately trusts a client-supplied length value, leading to a buffer overflow. The attacker can send a PFCP Session Establishment Request with "internet" as the PDI Network Instance. The first character is interpreted as a length value to be used in a memcpy call. The destination buffer is only 100 bytes long on the stack. Then, 'i' gets interpreted as 105 bytes to copy from the source buffer to the destination buffer.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/14/2021
The vulnerability identified as CVE-2021-41794 affects Open5GS versions 1.0.0 through 2.3.3 and represents a critical buffer overflow flaw in the ogs_fqdn_parse function. This issue stems from improper validation of client-supplied data during the parsing of Fully Qualified Domain Name (FQDN) values within the Packet Forwarding Control Protocol (PFCP) implementation. The vulnerability manifests when processing PFCP Session Establishment Requests containing the "internet" string as the PDI Network Instance field, creating a dangerous trust relationship between the system and potentially malicious client input.
The technical flaw occurs in the memory management logic where the system interprets the first character of the client-provided string as a length indicator for a subsequent memcpy operation. In this specific scenario, when "internet" is processed, the character 'i' (ASCII value 105) is treated as the intended length value for memory copying. The destination buffer allocated on the stack is only 100 bytes in size, creating a classic stack-based buffer overflow condition. This misinterpretation of the length parameter allows an attacker to write beyond the bounds of the allocated buffer, potentially corrupting adjacent memory structures and compromising system stability.
The operational impact of this vulnerability extends beyond simple memory corruption, as it provides potential attack vectors for remote code execution and system compromise. An attacker exploiting this vulnerability could manipulate the program's execution flow by overwriting return addresses, function pointers, or other critical memory locations within the stack. The vulnerability affects the core PFCP functionality that governs packet forwarding decisions in 5G networks, making it particularly dangerous in mobile network infrastructure environments. This flaw aligns with CWE-121 Stack-based Buffer Overflow, which specifically addresses buffer overflows occurring in stack memory regions due to inadequate bounds checking.
The attack scenario involves an adversary sending a crafted PFCP Session Establishment Request with maliciously formatted network instance data. The PFCP protocol is used in 5G core networks for communication between network elements such as UPFs (User Plane Functions) and MMEs (Mobility Management Entities), making this vulnerability particularly severe in production network environments. The vulnerability demonstrates a fundamental failure in input validation and memory safety practices, which are core principles of secure coding standards and align with ATT&CK technique T1059.007 for Command and Scripting Interpreter. Organizations deploying Open5GS systems should prioritize immediate patching to address this vulnerability, as it could enable attackers to gain unauthorized access to critical network infrastructure components.
Mitigation strategies should include implementing proper bounds checking mechanisms, validating all client-supplied data before processing, and employing stack protection techniques such as stack canaries and address space layout randomization. The Open5GS development team has addressed this issue in subsequent releases, and system administrators should upgrade to versions 2.3.4 or later to eliminate this vulnerability. Additionally, network monitoring should be enhanced to detect anomalous PFCP traffic patterns that might indicate exploitation attempts, and proper input sanitization should be implemented at all network protocol interfaces to prevent similar issues in other components.