| शीर्षक | Open5GS 2.7.7 Denial of Service (DoS) (CWE-400) |
|---|
| विवरण | Open5GS UPF (open5gs-upfd) is vulnerable to a remotely triggerable user-plane Denial of Service (performance degradation) on the GTP-U interface (N3). An attacker with network reachability to the UPF GTP-U listener (UDP/2152) can send a sustained high-rate stream of crafted GTP-U packets—interleaving GTP-U Echo Requests and G-PDUs carrying invalid/unknown TEIDs—that forces expensive synchronous work on the UPF data-path receive callback. In particular, invalid-TEID handling repeatedly triggers error-path processing (including ogs_error(...) and ogs_log_hexdump() formatting) and may generate Error Indication responses, while Echo Requests trigger Echo Responses; these operations are executed on the hot path without adequate rate limiting/backpressure. This results in event-loop starvation and uncontrolled resource consumption (CWE-400), manifesting as severe latency inflation, tail-latency spikes, jitter, and packet loss for legitimate user-plane traffic traversing the same UPF instance, even while PDU sessions remain established (“connected but untimely”).
The issue is reachable pre-authentication from the network perspective (no 5GC credentials required to send the attack traffic): the adversary only needs to deliver UDP datagrams to the UPF’s GTP-U port. In private 5G deployments, a co-tenant UE may infer a reachable UPF address via common network reconnaissance (e.g., traceroute/subnet probing) and then execute the same traffic-driven attack; the core exposure remains the UPF’s externally reachable GTP-U processing path and its lack of rate limiting for abusive inputs.
Affected component/path (source-level context): UPF GTP-U receive callback in src/upf/gtp-path.c (_gtpv1_u_recv_cb), specifically Echo Request handling and the invalid/unknown TEID error path for G-PDU processing, which invokes synchronous logging/hexdump and triggers protocol response generation. Test evidence: Open5GS v2.7.7 (container image docker.io/gradiant/open5gs:2.7.7), with degradation confirmed in a Kubernetes-based 5G SA testbed by measuring a baseline sub-millisecond RTT rising to multi-millisecond averages with large tail spikes (tens of ms) and non-trivial packet loss under attack, while connectivity (PDU session attachment) persisted.
Disclosure coordination: The reporter is contacting the Open5GS maintainer(s) to report this issue responsibly and is willing to provide reproduction details privately (logs, minimal PoC, and test procedure) to support triage and a coordinated disclosure timeline; public PoC details will be withheld until a fix is available. |
|---|
| उपयोगकर्ता | 0wln3d (UID 96662) |
|---|
| सबमिशन | 08/04/2026 03:51 PM (2 महीनों पहले) |
|---|
| संयम | 08/05/2026 09:47 PM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 362339 [Open5GS तक 2.7.7 UPF src/upf/gtp-path.c _gtpv1_u_recv_cb सेवा अस्वीकार] |
|---|
| अंक | 17 |
|---|