The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: CVE-2023-23846 Denial-of-Service Vulnerability in Open5GS GTP Library

Black Duck Editorial Staff

Jan 30, 2023 / 1 min read

Overview

The Black Duck Cybersecurity Research Center (CyRC) has exposed CVE-2023-23846, a vulnerability in Open5GS. Open5GS is a C-language open source implementation that provides both 4G/LTE enhanced packet core (EPC) and 5G functionalities for mobile network deployments with an AGPLv2 or commercial license. It is primarily used to build and deploy private LTE/5G telecom network core functions by researchers and commercial entities such as telecom network operators.

Due to insufficient length validation in the Open5GS GTP library when parsing extension headers in GPRS tunneling protocol (GPTv1-U) messages, a protocol payload with any extension header length set to zero causes an infinite loop. The affected process becomes immediately unresponsive, resulting in denial of service and excessive resource consumption.

Because the code resides in a common GTP library that is shared across different functions, this vulnerability is effectively present in all deployed endpoints configured to accept and handle GTP-U messages, including the 5G user plane function (UPF, provided by open5gs-upfd), the 5G session management function (SMF, provided by open5gs-smfd), and the LTE/EPC serving gateway user plane function (SGW-U, provided by open5gs-sgwud).

Exploitation

Sending GTPv1-U message payloads with extension headers whose length is set to zero causes the target process to get stuck and remain running but unresponsive. This vulnerability can be triggered by any suitable GTPv1-U message type—including the Supported Extension Headers Notification message—which typically does not require an existing GPRS tunnel to be present and uses a zeroed tunnel end point ID (TEID).

Affected software

Open5GS release 2.4.12 and release 2.5.6 (and earlier)

Impact

Exploitation of this vulnerability leads to denial of service for the LTE and/or 5G mobile packet core due to key network functions being affected. The excess resource consumption could also degrade the functionality of other active services on the host where the vulnerable processes are running.

CVSS Base Score: 7.5 (high)

CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

Remediation

The vulnerability is patched in versions 2.4.13 and 2.5.7, which were released on January 14, 2023.

Discovery credit

This vulnerability was discovered by CyRC researchers Tommi Maekilae from Singapore and Qiang Li from Wuhan, China, using the Defensics® Fuzz testing tool.

Timeline

  • November 28, 2022: Initial disclosure
  • November 30, 2022: Open5GS commits initial fix
  • December 1, 2022: Black Duck validates fix
  • January 14, 2023: Open5GS versions 2.4.13 and 2.5.7 are released to fix the bug
  • January 31, 2023: Black Duck publishes advisory

About CVSS

FIRST.Org, Inc. (FIRST) is a nonprofit organization based out of the U.S. that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS, but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Continue Reading

Explore Topics