关键漏洞信息 漏洞标题 Open5GS SGWC v2.7.6 Denial of Service 描述 SGW-C can be forced to abort (SIGABRT / core dumped) if a ModifyBearerResponse is delivered on S5-C after the corresponding S11 transaction has already timed out and been freed. The handler sgwc_s5c_handle_modify_bearer_response() expects to retrieve a valid associated S11 transaction (s11_xact), but when the S11-side transaction is stale/expired, s11_xact becomes NULL and the code hits ogs_assert(s11_xact), crashing open5gs-sgwc. This results in a remote DoS condition for any attacker who can simulate MME/PGW behavior and control message timing. 发现者 Ziyu Lin, Xiaofeng Wang, Wei Dong (Nanyang Technological University) CVSS评分 CVSS3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 复现步骤 1. Start a new go project inside a new folder: 2. Create a and paste the code provided (not shown in this screenshot) 攻击流程 1. MME -> SGW-C: CreateSessionRequest (establish session) 2. PGW: Respond to CreateSessionRequest 3. MME -> SGW-C: ModifyBearerRequest (creates S11 transaction) 4. SGW-C -> PGW: ModifyBearerRequest (creates S5c transaction, associated with S11) 5. Wait for S11 transaction to timeout (don't respond from MME side) 6. PGW -> SGW-C: ModifyBearerResponse (S11 transaction already expired)