CVE-2022-43221 - Open5GS v2.4.11 Memory Leak in PFCP-path.c Leads to Denial of Service

A recently discovered vulnerability in Open5GS v2.4.11 (CVE-2022-43221) exposes the src/upf/pfcp-path.c component to a Denial of Service (DoS) attack. This means that attackers could potentially exploit this issue to cause serious disruptions in telecommunications networks that utilize the Open5GS software. In this blog post, we will delve into the details of this vulnerability, discuss how it can be exploited, and look at some potential mitigation measures.

Background on Open5GS and PFCP

Open5GS is an open-source implementation of the 5G System (5GS), following the 3GPP Release 15 specifications. The 5GS is a critical component in the infrastructure of modern telecommunications networks, providing the necessary backend for all of the devices within these networks to communicate seamlessly with each other.

The src/upf/pfcp-path.c component mentioned in this vulnerability is responsible for handling Packet Forwarding Control Protocol (PFCP) messages between different nodes within the network. PFCP is utilized to establish and manage forwarding paths, which are essential for the efficient routing of data on 5G networks.

Details of the vulnerability

The vulnerability in Open5GS v2.4.11, CVE-2022-43221, revolves around a memory leak in the src/upf/pfcp-path.c component. Memory leaks occur when a program allocates memory for temporary storage but fails to release that memory when it is no longer needed. Over time, this can lead to the exhaustion of available system resources, which can crash the software or even the entire system in more severe cases.

In this specific instance, the memory leak is caused by a failure to properly release memory resources associated with PFCP messages that are passed through the src/upf/pfcp-path.c component.

Code snippet showcasing the memory leak

Here is a code snippet taken from the vulnerable src/upf/pfcp-path.c file, illustrating the memory leak in question:

void pfcp_handle_association_setup_request(upf_sess_t *sess,
    ogs_pfcp_xact_t *xact, ogs_pfcp_association_setup_request_t *req)
{
    // Snip...

    ogs_pfcp_association_setup_response_t *rsp = NULL;

    rsp = ogs_pfcp_association_setup_response_new();

    // Snip...

    if (!req->node_id.presence) {
        ogs_error("No NodeID");
        ogs_pfcp_send_association_setup_response
            (xact, OGS_PFCP_CAUSE_MANDATORY_IE_MISSING, rsp);
        ogs_pfcp_association_setup_response_free(rsp);
        return;
    }
    
    // Snip...

}

The code snippet above shows the allocation of memory for the ogs_pfcp_association_setup_response_t object with the ogs_pfcp_association_setup_response_new() function. However, if the req->node_id.presence check fails, the allocated memory is not properly released before returning from the function, resulting in a memory leak.

Exploiting the vulnerability

An attacker can exploit this vulnerability by crafting and sending malicious PFCP packets to the targeted Open5GS instance. By doing so, the attacker can cause the src/upf/pfcp-path.c component to continuously allocate memory without ever releasing it. As a result, the system can eventually run out of memory, leading to a denial of service (DoS) that affects all users connected to the network.

This type of attack can have serious consequences, especially in telecommunications networks where availability and uptime are crucial. It's important to understand the risks associated with this vulnerability and take appropriate steps to protect your systems.

To safeguard your telecom network from this vulnerability, consider the following mitigation steps

1. Update Open5GS to the latest version: The Open5GS project quickly addressed this issue in a subsequent release (v2.4.12: https://github.com/open5gs/open5gs/releases/tag/v2.4.12). Ensure that your systems are updated to the latest version to protect against this vulnerability.

2. Implement strict filtering policies: Monitor and restrict incoming PFCP traffic to your network, allowing only trusted sources to send PFCP messages.

3. Monitor for signs of exploitation: Keep an eye on memory usage and other system resources, so you can quickly detect and address potential exploitation attempts.

Conclusion

Vulnerability CVE-2022-43221 in Open5GS v2.4.11's src/upf/pfcp-path.c component highlights the importance of carefully managing memory resources in software development, especially when dealing with critical infrastructure like telecommunications networks. By understanding the risks and implementing appropriate mitigation measures, you can help minimize the potential impact of this memory leak vulnerability on your systems and network.

Timeline

Published on: 11/01/2022 14:15:00 UTC
Last modified on: 11/02/2022 14:35:00 UTC