| タイトル | UERANSIM 3.2.7 DoS via Malformed RLS Packet (CWE-248) |
|---|
| 説明 | A vulnerability in UERANSIM v3.2.7 allows a remote Denial of Service (DoS) against the simulated gNodeB process (nr-gnb) by sending a malformed RLS (Radio Link Simulation) UDP packet to the gNB’s RLS listener (UDP port 4997, cons::RadioLinkPort). The issue is triggered in the RLS decode path when the packet’s declared PDU length is inconsistent with the actual datagram size. In rls::DecodeRlsMessage() (src/lib/rls/rls_pdu.cpp), the decoder reads pduLength while handling an RLS PDU_TRANSMISSION message (msgType=0x06) and calls OctetView::readOctetString(pduLength) (src/utils/octet_view.cpp). When index + pduLength > size, readOctetString() throws std::out_of_range("Invalid arguments for readOctetString"). Because the gNB receive loop (RlsUdpTask::onLoop() in src/gnb/rls/udp_task.cpp) does not catch exceptions around DecodeRlsMessage(), the exception propagates to the top level and the runtime calls std::terminate(), crashing nr-gnb (observed message: terminate called after throwing an instance of 'std::out_of_range' / what(): Invalid arguments for readOctetString).
Attack preconditions are minimal: the attacker only needs UDP reachability to the gNB RLS IP/port; no authentication or prior session establishment is required at the RLS layer. In practical deployments (e.g., Kubernetes-based testbeds or shared lab networks), any co-tenant/rogue host with L3 access to the gNB can deliver the UDP payload. The impact is complete loss of availability of the gNB process; all UEs attached to that gNB lose connectivity until the gNB is restarted (and repeated packets can force repeated crashes).
This behavior is related to CVE-2024-37877 (malformed RLS PDU length in DecodeRlsMessage/readOctetString), but in v3.2.7 the bounds check exists and results in an uncaught exception leading to a deterministic crash (CWE-248: Uncaught Exception). Additional robustness concerns remain in the same parsing area (e.g., truncated RLS packets and unbounded PDU_TRANSMISSION_ACK count handling), but the primary confirmed vector is the PDU_TRANSMISSION malformed length causing std::out_of_range → std::terminate.
Disclosure coordination: The reporter is contacting the UERANSIM maintainer(s) to report this issue responsibly and is willing to provide reproduction details privately (logs, minimal PoC, and test procedure) to support triage and a coordinated disclosure timeline; public PoC details will be withheld until a fix is available. |
|---|
| ユーザー | 0wln3d (UID 96662) |
|---|
| 送信 | 2026年04月08日 16:02 (2 月 ago) |
|---|
| モデレーション | 2026年04月27日 11:56 (19 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 359784 [aligungr UERANSIM 迄 3.2.7 Radio Link Simulation Layer src/lib/rls/rls_pdu.cpp rls::DecodeRlsMessage pduLength サービス拒否] |
|---|
| ポイント | 17 |
|---|