When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the f_teid_len from incoming message, and then uses it to copy data from incoming message to struct f_teid without checking the maximum length. If the pdi.local_f_teid.len exceeds the maximum length of the struct of f_teid, the memcpy() overwrites the fields (e.g., f_teid_len) after f_teid in the pdr struct. After parsing the request, the UPF starts to build a response. The f_teid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs, as a result of a memcpy(), if this overwritten value is large enough.
References
Link | Resource |
---|---|
https://www.synopsys.com/blogs/software-security/cyrc-advisory-open5gs/ | Exploit Third Party Advisory |
Configurations
History
21 Sep 2022, 14:27
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://www.synopsys.com/blogs/software-security/cyrc-advisory-open5gs/ - Exploit, Third Party Advisory | |
First Time |
Open5gs
Open5gs open5gs |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CPE | cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:* | |
CWE | NVD-CWE-noinfo |
16 Sep 2022, 19:40
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-09-16 19:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-39063
Mitre link : CVE-2022-39063
CVE.ORG link : CVE-2022-39063
JSON object : View
Products Affected
open5gs
- open5gs
CWE