The Black Duck Cybersecurity Research Center (CyRC) has exposed CVE-2023-23846, a vulnerability in Open5GS. Open5GS is a C-language open source implementation that provides both 4G/LTE enhanced packet core (EPC) and 5G functionalities for mobile network deployments with an AGPLv2 or commercial license. It is primarily used to build and deploy private LTE/5G telecom network core functions by researchers and commercial entities such as telecom network operators.
Due to insufficient length validation in the Open5GS GTP library when parsing extension headers in GPRS tunneling protocol (GPTv1-U) messages, a protocol payload with any extension header length set to zero causes an infinite loop. The affected process becomes immediately unresponsive, resulting in denial of service and excessive resource consumption.
Because the code resides in a common GTP library that is shared across different functions, this vulnerability is effectively present in all deployed endpoints configured to accept and handle GTP-U messages, including the 5G user plane function (UPF, provided by open5gs-upfd), the 5G session management function (SMF, provided by open5gs-smfd), and the LTE/EPC serving gateway user plane function (SGW-U, provided by open5gs-sgwud).
Sending GTPv1-U message payloads with extension headers whose length is set to zero causes the target process to get stuck and remain running but unresponsive. This vulnerability can be triggered by any suitable GTPv1-U message type—including the Supported Extension Headers Notification message—which typically does not require an existing GPRS tunnel to be present and uses a zeroed tunnel end point ID (TEID).
Open5GS release 2.4.12 and release 2.5.6 (and earlier)
Exploitation of this vulnerability leads to denial of service for the LTE and/or 5G mobile packet core due to key network functions being affected. The excess resource consumption could also degrade the functionality of other active services on the host where the vulnerable processes are running.
CVSS Base Score: 7.5 (high)
CVSS 3.1 Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
The vulnerability is patched in versions 2.4.13 and 2.5.7, which were released on January 14, 2023.
This vulnerability was discovered by CyRC researchers Tommi Maekilae from Singapore and Qiang Li from Wuhan, China, using the Defensics® Fuzz testing tool.
FIRST.Org, Inc. (FIRST) is a nonprofit organization based out of the U.S. that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS, but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.