Preface: Open5GS is a popular open-source 5G core network (5GC) implementation, particularly among researchers and those building private 5G networks. It’s recognized as one of the leading open-source 5GC projects. Open5GS is known for its adherence to 3GPP standards and its mature development, making it suitable for various applications like testbeds, research, and even some deployments
Background: The PFCP library refers to a software component, often implemented in programming languages like Go, designed to support the Packet Forwarding Control Protocol (PFCP). PFCP is a signaling protocol used in mobile core networks, particularly in the context of Control and User Plane Separation (CUPS) within 4G and 5G architectures. It enables communication between control plane elements (like the Session Management Function or SMF) and user plane elements (like the User Plane Function or UPF). PFCP is used by network equipment (like 5G base stations and core network elements) to manage data forwarding.
Vulnerability details: A missing length check in `ogs_pfcp_subnet_add` function from PFCP library, used by both smf and upf in open5gs 2.7.2 and earlier, allows a local attacker to cause a Buffer Overflow by changing the `session.dnn` field with a value with length greater than 101.
Comment: The developer added the strcpy block as a new logic to handle the DNN field. If the patch doesn’t include bounds checking, it introduces a new vulnerability.
Suggestion: the strcpy should be replaced with a safe alternative.
Official announcement: Please refer to the supplier announcement –