| Название | Open5GS 2.7.7 Denial of Service (DoS) (CWE-400) |
|---|
| Описание | Open5GS UPF (open5gs-upfd) is vulnerable to a remotely triggerable user-plane Denial of Service (performance degradation) on the GTP-U interface (N3). An attacker with network reachability to the UPF GTP-U listener (UDP/2152) can send a sustained high-rate stream of crafted GTP-U packets—interleaving GTP-U Echo Requests and G-PDUs carrying invalid/unknown TEIDs—that forces expensive synchronous work on the UPF data-path receive callback. In particular, invalid-TEID handling repeatedly triggers error-path processing (including ogs_error(...) and ogs_log_hexdump() formatting) and may generate Error Indication responses, while Echo Requests trigger Echo Responses; these operations are executed on the hot path without adequate rate limiting/backpressure. This results in event-loop starvation and uncontrolled resource consumption (CWE-400), manifesting as severe latency inflation, tail-latency spikes, jitter, and packet loss for legitimate user-plane traffic traversing the same UPF instance, even while PDU sessions remain established (“connected but untimely”).
The issue is reachable pre-authentication from the network perspective (no 5GC credentials required to send the attack traffic): the adversary only needs to deliver UDP datagrams to the UPF’s GTP-U port. In private 5G deployments, a co-tenant UE may infer a reachable UPF address via common network reconnaissance (e.g., traceroute/subnet probing) and then execute the same traffic-driven attack; the core exposure remains the UPF’s externally reachable GTP-U processing path and its lack of rate limiting for abusive inputs.
Affected component/path (source-level context): UPF GTP-U receive callback in src/upf/gtp-path.c (_gtpv1_u_recv_cb), specifically Echo Request handling and the invalid/unknown TEID error path for G-PDU processing, which invokes synchronous logging/hexdump and triggers protocol response generation. Test evidence: Open5GS v2.7.7 (container image docker.io/gradiant/open5gs:2.7.7), with degradation confirmed in a Kubernetes-based 5G SA testbed by measuring a baseline sub-millisecond RTT rising to multi-millisecond averages with large tail spikes (tens of ms) and non-trivial packet loss under attack, while connectivity (PDU session attachment) persisted.
Disclosure coordination: The reporter is contacting the Open5GS maintainer(s) to report this issue responsibly and is willing to provide reproduction details privately (logs, minimal PoC, and test procedure) to support triage and a coordinated disclosure timeline; public PoC details will be withheld until a fix is available. |
|---|
| Пользователь | 0wln3d (UID 96662) |
|---|
| Представление | 08.04.2026 15:51 (2 месяцы назад) |
|---|
| Модерация | 08.05.2026 21:47 (1 month later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 362339 [Open5GS до 2.7.7 UPF src/upf/gtp-path.c _gtpv1_u_recv_cb отказ в обслуживании] |
|---|
| Баллы | 17 |
|---|