| Título | Open5GS 2.7.7 Out-of-bounds Read (CWE-125) / Denial of Service (CWE-400) |
|---|
| Descripción | Open5GS UPF (open5gs-upfd) is vulnerable to a remotely triggerable crash on the GTP-U user plane interface (N3). An attacker with network reachability to the UPF GTP-U listener (UDP/2152) can send a high-rate stream of crafted GTP-U packets (G-PDU and related message types) that causes the UPF process to terminate with a segmentation fault (SIGSEGV / exit code 139), resulting in a Denial of Service for all user-plane traffic and active PDU sessions handled by the UPF. In a Kubernetes-based 5G SA testbed, the UPF pod repeatedly restarted and entered backoff after the crash (CrashLoopBackOff / Back-off restarting failed container), with kubectl describe pod showing Last State: Terminated, Reason: Error, Exit Code: 139, and increasing restart count.
The issue is reachable pre-authentication from the network perspective (no 5GC credentials required). In the tested environment, using a valid uplink TEID from an active session increased reliability by forcing deeper per-session processing (PDR/FAR path) in the UPF data plane; however, the attack fundamentally targets the externally reachable GTP-U packet processing path. The crash is consistent with a memory-safety flaw such as an out-of-bounds read (CWE-125) in the packet classification/matching logic when parsing attacker-controlled inner IP headers (e.g., IPv4 header length fields influencing subsequent TCP/UDP header access) and/or related malformed-packet handling under load. Additionally, the same GTP-U flooding conditions can cause extreme latency degradation due to synchronous logging/hexdump and control-plane signaling amplification (resource exhaustion, CWE-400), but the primary observed impact in this report is the remote crash (SIGSEGV) of the UPF.
Affected component/path (source-level context): UPF GTP-U receive callback in src/upf/gtp-path.c (_gtpv1_u_recv_cb) and packet rule matching in lib/pfcp/rule-match.c (ogs_pfcp_pdr_rule_find_by_packet) when valid TEIDs are used. Test evidence: container image docker.io/gradiant/open5gs:2.7.5 (Open5GS daemon v2.7.5) with crash confirmed via Kubernetes termination status (exit code 139). A private PoC script and additional logs/pcaps are available for maintainers under responsible disclosure.
Disclosure coordination: The reporter contacted the Open5GS maintainer(s) to report this issue responsibly, but did not receive a response within the expected timeframe. A full proof-of-concept (PoC) will not be published or shared publicly until a fix is available, to reduce risk of widespread exploitation; the reporter is willing to provide reproduction details privately to maintainers or a coordinated disclosure process once contact is established and a remediation timeline is agreed. |
|---|
| Usuario | 0wln3d (UID 96662) |
|---|
| Sumisión | 2026-04-08 15:39 (hace 2 meses) |
|---|
| Moderación | 2026-05-08 21:47 (1 month later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 362338 [Open5GS hasta 2.7.7 NF lib/sbi/client.c ogs_sbi_client_send_via_scp_or_sepp divulgación de información] |
|---|
| Puntos | 17 |
|---|