CyRC Vulnerability Advisory: CVE-2023-23846 Denial-of-Service Vulnerability in Open5GS GTP Library
Learn about CVE-2022-23846, a denial-of-service-vulnerability affecting GTP libraries found in Open5GS.
Overview
The Synopsys Cybersecurity Research Center (CyRC) has exposed CVE-2023-23846, a vulnerability in Open5GS. Open5GS is a C-language open source implementation that provides both 4G/LTE enhanced packet core (EPC) and 5G functionalities for mobile network deployments with an AGPLv2 or commercial license. It is primarily used to build and deploy private LTE/5G telecom network core functions by researchers and commercial entities such as telecom network operators.
Due to insufficient length validation in the Open5GS GTP library when parsing extension headers in GPRS tunneling protocol (GPTv1-U) messages, a protocol payload with any extension header length set to zero causes an infinite loop. The affected process becomes immediately unresponsive, resulting in denial of service and excessive resource consumption.
Because the code resides in a common GTP library that is shared across different functions, this vulnerability is effectively present in all deployed endpoints configured to accept and handle GTP-U messages, including the 5G user plane function (UPF, provided by open5gs-upfd), the 5G session management function (SMF, provided by open5gs-smfd), and the LTE/EPC serving gateway user plane function (SGW-U, provided by open5gs-sgwud).
Exploitation
Sending GTPv1-U message payloads with extension headers whose length is set to zero causes the target process to get stuck and remain running but unresponsive. This vulnerability can be triggered by any suitable GTPv1-U message type—including the Supported Extension Headers Notification message—which typically does not require an existing GPRS tunnel to be present and uses a zeroed tunnel end point ID (TEID).
Affected software
Open5GS release 2.4.12 and release 2.5.6 (and earlier)
Impact
Exploitation of this vulnerability leads to denial of service for the LTE and/or 5G mobile packet core due to key network functions being affected. The excess resource consumption could also degrade the functionality of other active services on the host where the vulnerable processes are running.
CVSS Base Score: 7.5 (high)
CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
Remediation
The vulnerability is patched in versions 2.4.13 and 2.5.7, which were released on January 14, 2023.
Discovery credit
This vulnerability was discovered by CyRC researchers Tommi Maekilae from Singapore and Qiang Li from Wuhan, China, using the Defensics® Fuzz testing tool.
Timeline
- November 28, 2022: Initial disclosure
- November 30, 2022: Open5GS commits initial fix
- December 1, 2022: Synopsys validates fix
- January 14, 2023: Open5GS versions 2.4.13 and 2.5.7 are released to fix the bug
- January 31, 2023: Synopsys publishes advisory
References
https://github.com/open5gs/open5gs
FIRST.Org, Inc. (FIRST) is a nonprofit organization based out of the U.S. that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS, but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
Stay on top of the latest AppSec news
*** This is a Security Bloggers Network syndicated blog from Application Security Blog authored by Synopsys Cybersecurity Research Center. Read the original post at: https://www.synopsys.com/blogs/software-security/cyrc-advisory-open5gs-gtp-library/
