Open5GS, version 2.4.10 and prior.
INCIBE has coordinated the publication of 4 vulnerabilities affecting Open5GS, an implementation for 5G Core and 4G, which have been discovered by Pablo Valle Alvear, from Titanium Industrial Security team.
These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector string and the CWE vulnerability type of each vulnerability:
- CVE-2023-4882: CVSS v3.1: 7,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CWE-404.
- CVE-2023-4883: CVSS v3.1: 7,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CWE-763.
- CVE-2023-4884: CVSS v3.1: 6,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L | CWE-306.
- CVE-2023-4885: CVSS v3.1: 6,5 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | CWE-300.
Open5GS is working on a fix for the reported vulnerabilities.
- CVE-2023-4882: DOS vulnerability that could allow an attacker to register a new VNF (Virtual Network Function) value. This action could trigger the args_assets() function defined in the arg-log.php file, which would then execute the args-abort.c file, causing the service to crash.
- CVE-2023-4883: invalid pointer release vulnerability. Exploitation of this vulnerability could allow an attacker to interrupt the correct operation of the service by sending a specially crafted json string to the VNF (Virtual Network Function), and triggering the ogs_sbi_message_free function, which could cause a service outage.
- CVE-2023-4884: lack of authentication vulnerability. An attacker could send an HTTP request to an Open5GS endpoint and retrieve the information stored on the device due to the lack of Authentication.
- CVE-2023-4885: Man in the Middle vulnerability, which could allow an attacker to intercept VNF (Virtual Network Function) communications resulting in the exposure of sensitive information.