Vulnerability Description
When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the f_teid_len from incoming message, and then uses it to copy data from incoming message to struct f_teid without checking the maximum length. If the pdi.local_f_teid.len exceeds the maximum length of the struct of f_teid, the memcpy() overwrites the fields (e.g., f_teid_len) after f_teid in the pdr struct. After parsing the request, the UPF starts to build a response. The f_teid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs, as a result of a memcpy(), if this overwritten value is large enough.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open5Gs | Open5Gs | <= 2.4.9 |
Related Weaknesses (CWE)
References
- https://www.synopsys.com/blogs/software-security/cyrc-advisory-open5gs/ExploitThird Party Advisory
- https://www.synopsys.com/blogs/software-security/cyrc-advisory-open5gs/ExploitThird Party Advisory
FAQ
What is CVE-2022-39063?
CVE-2022-39063 is a vulnerability with a CVSS score of 7.5 (HIGH). When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the f_teid_len from ...
How severe is CVE-2022-39063?
CVE-2022-39063 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-39063?
Check the references section above for vendor advisories and patch information. Affected products include: Open5Gs Open5Gs.