Headline
CVE-2022-3354: UPF crashes after UDP port scan · Issue #1767 · open5gs/open5gs
A vulnerability has been found in Open5GS up to 2.4.10 and classified as problematic. This vulnerability affects unknown code in the library lib/core/ogs-tlv-msg.c of the component UDP Packet Handler. The manipulation leads to denial of service. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. VDB-209686 is the identifier assigned to this vulnerability.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Popvlvs opened this issue
Sep 19, 2022
· 5 comments
Open
UPF crashes after UDP port scan #1767
Popvlvs opened this issue
Sep 19, 2022
· 5 comments
Comments
Hi all,
First of all, I’d like to analyze this issue deeply, because I got this in the very first test. However, it seems really easy to achieve a DoS attack by executing a simple port scan.
Following image shows the UPF log after the scan:
I’ll update this thread with further discoveries.
Regards.
Popvlvs changed the title UDM crahses after UDP port scan UPFcrahses after UDP port scan
Sep 19, 2022
Popvlvs changed the title UPFcrahses after UDP port scan UPF crashes after UDP port scan
Sep 19, 2022
acetcom added a commit that referenced this issue
Sep 25, 2022
acetcom added the Not Enough
Maintenance is requesting additional information to address this issue.
label
Sep 25, 2022
@Popvlvs
I’ve added more debug information to fix this issue in the main branch. If you can reproduce this problem, please share the print log message.
Thanks a lot!
Sukchan
acetcom added Security
Security issue
and removed Not Enough
Maintenance is requesting additional information to address this issue.
Bug
Open5GS bug
labels
Sep 28, 2022
@Popvlvs
I’ve improved the security protection in the branch issues1767.
Please let me know if the issue has been resolved.
Thanks a lot!
Sukchan
@acetcom
It fails when compiling. See the following picture:
Regards.
@Popvlvs
Here are my results.
$ rm -Rf open5gs
$ git clone https://github.com/open5gs/open5gs
$ cd open5gs
$ git checkout issues1767
Branch 'issues1767' set up to track remote branch 'issues1767' from 'origin'.
Switched to a new branch 'issues1767'
$ meson build --prefix=`pwd`/install
$ cd build
$ ninja
[3241/3241] Linking target tests/non3gpp/non3gpp.
That works well.
Good luck with you!
Sukchan
@acetcom
My fault :)
It seems it’s fixed now. It logs errors because of the malformed UDP payload (as expected) but it doesn’t crash. Besides, I tried to register a new UE during the port scan and it attaches to the network successfully (highlighted on the following picture).
Thanks again!
Regards.
2 participants