CVE-2021-41794

Name of the Vulnerable Software and Affected Versions Open5GS versions 1.0.0 through 2.3.3

Description The issue arises from the ogs fqdn parse function in Open5GS, which inappropriately trusts a client-supplied length value. This leads to a buffer overflow when an attacker sends a PFCP Session Establishment Request with "internet" as the PDI Network Instance. The first character of the request is interpreted as a length value for a memcpy call, where the destination buffer on the stack is only 100 bytes long. For instance, the character 'i' is interpreted as 105 bytes to copy from the source buffer to the destination buffer, resulting in the overflow.

Recommendations For Open5GS versions 1.0.0 through 2.3.3, as a temporary workaround, consider restricting the use of the ogs fqdn parse function until a patch is available. Additionally, restrict access to the PFCP Session Establishment Request to minimize the risk of exploitation. Avoid using the PDI Network Instance with values that could be interpreted as large length values in the memcpy call. At the moment, there is no information about a newer version that contains a fix for this vulnerability.