Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the f_teid_len from incoming message, and then uses it to copy data from incoming message to struct f_teid without checking the maximum length. If the pdi.local_f_teid.len exceeds the maximum length of the struct of f_teid, the memcpy() overwrites the fields (e.g., f_teid_len) after f_teid in the pdr struct. After parsing the request, the UPF starts to build a response. The f_teid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs, as a result of a memcpy(), if this overwritten value is large enough.
CVSS Information
N/A
Vulnerability Type
潜在危险函数的使用
Vulnerability Title
Open5GS 安全漏洞
Vulnerability Description
Open5GS是一个 5G Core 和 Epc 的 C 语言开源实现,即 Lte/Nr 网络的核心网络。 Open5GS 2.4.9及之前版本存在安全漏洞,该漏洞源于如果pdi.local_f_teid.len超过了f_teid结构的最大长度,memcpy()就会覆盖pdr结构中f_teid后面的字段,在解析完请求后,UPF开始建立一个响应,f_teid_len及其覆盖的值被用作memcpy()的长度。如果这个覆盖的值足够大,作为memcpy()的结果,会发生分段故障。
CVSS Information
N/A
Vulnerability Type
N/A