CVE-2022-39063

When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the f_teid_len from incoming message, and then uses it to copy data from incoming message to struct f_teid without checking the maximum length. If the pdi.local_f_teid.len exceeds the maximum length of the struct of f_teid, the memcpy() overwrites the fields (e.g., f_teid_len) after f_teid in the pdr struct. After parsing the request, the UPF starts to build a response. The f_teid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs, as a result of a memcpy(), if this overwritten value is large enough.

CVSS v3.0 7.5 HIGH

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.synopsys.com/blogs/software-security/cyrc-advisory-open5gs/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

Information

Published : 2022-09-16 12:15

Updated : 2022-09-21 07:27

NVD link : CVE-2022-39063

Mitre link : CVE-2022-39063

JSON object : View

CWE

NVD-CWE-noinfo

Products Affected

open5gs

open5gs

7.5 /10