CyRC Vulnerability Advisory: CVE-2023-23846 Denial-of-Service Vulnerability in Open5GS GTP Library

By : Nata Kesuma | Sunday, February 05 2023 - 22:55 IWST

The Synopsys Cybersecurity Research Center (CyRC)
The Synopsys Cybersecurity Research Center (CyRC) - Singapore- The Synopsys Cybersecurity Research Center (CyRC) has exposed CVE-2023-23846, a vulnerability in Open5GS. Open5GS is a C-language open source implementation that provides both 4G/LTE enhanced packet core (EPC) and 5G functionalities for mobile network deployments with an AGPLv2 or commercial license.

It is primarily used to build and deploy private LTE/5G telecom network core functions by researchers and commercial entities such as telecom network operators.

Due to insufficient length validation in the Open5GS GTP library when parsing extension headers in GPRS tunneling protocol (GPTv1-U) messages, a protocol payload with any extension header length set to zero causes an infinite loop. The affected process becomes immediately unresponsive, resulting in denial of service and excessive resource consumption.

Because the code resides in a common GTP library that is shared across different functions, this vulnerability is effectively present in all deployed endpoints configured to accept and handle GTP-U messages, including the 5G user plane function (UPF, provided by open5gs-upfd), the 5G session management function (SMF, provided by open5gs-smfd), and the LTE/EPC serving gateway user plane function (SGW-U, provided by open5gs-sgwud).

News Comment

Today's Industry

65 years APO Tokyo

Rabu, 31 Mei 2023 - 15:28 WIB

65th Session of the APO Governing Body in Mongolia: Assessing Progress, Celebrating Milestones, Shaping the Future

The Asian Productivity Organization (APO) successfully concluded the 65th Session of its Governing Body (GBM) with representatives of 19 APO member economies attending in Ulaanbaatar, Mongolia,…

World Fishing Championship, the First Fishing Game on WEMIX PLAY, Launches in 170 Countries (Graphic: Wemade)

Rabu, 31 Mei 2023 - 15:00 WIB

World Fishing Championship, the First Fishing Game on WEMIX PLAY, Launches in 170 Countries

Wemade officially launched World Fishing Championship, a fishing game developed by Wemade Plus, on May 25th in 170 countries.

President Jokowi launched the IKN logo, Tuesday (30/05/2023), at the State Palace, Jakarta. (Photo: Public Relations of Setkab/Agung)

Rabu, 31 Mei 2023 - 14:35 WIB

President Jokowi Launches IKN Logo Themed Tree of Life

Indonesian President Joko Widodo (Jokowi) officially launched the Indonesian Capital City logo (IKN), Tuesday (30/05/2023), at the State Palace, Jakarta.

Falcon 40B," the UAE's first large-scale AI model, is now open source for research and commercial use. (Photo: AETOSWire)

Rabu, 31 Mei 2023 - 14:05 WIB

UAE's Technology Innovation Institute Launches Open-Source "Falcon 40B"

The Technology Innovation Institute (TII), a leading global scientific research center and the applied research pillar of Abu Dhabi’s Advanced Technology Research Council (ATRC), today strengthened…

New energy electric vehicles in Gangbei District are attracting a large number of Lao exhibitors.

Senin, 29 Mei 2023 - 14:35 WIB

New Energy Electric Vehicles in Gangbei District of Guigang City Enters the ASEAN "Blue Ocean" Market

Recently, Guangxi Guigang Fushuai Electric Vehicle Co., Ltd. and PT. DFU INTERNATIONAL INDONESIA signed the first batch of directional purchase contracts for 20,000 new energy electric vehicles…