CVE-2021-41794

ogs_fqdn_parse in Open5GS 1.0.0 through 2.3.3 inappropriately trusts a client-supplied length value, leading to a buffer overflow. The attacker can send a PFCP Session Establishment Request with "internet" as the PDI Network Instance. The first character is interpreted as a length value to be used in a memcpy call. The destination buffer is only 100 bytes long on the stack. Then, 'i' gets interpreted as 105 bytes to copy from the source buffer to the destination buffer.
Configurations

Configuration 1 (hide)

cpe:2.3:a:open5gs:open5gs:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:26

Type Values Removed Values Added
References () https://research.nccgroup.com/2021/10/06/technical-advisory-open5gs-stack-buffer-overflow-during-pfcp-session-establishment-on-upf-cve-2021-41794 - Exploit, Third Party Advisory () https://research.nccgroup.com/2021/10/06/technical-advisory-open5gs-stack-buffer-overflow-during-pfcp-session-establishment-on-upf-cve-2021-41794 - Exploit, Third Party Advisory

Information

Published : 2021-10-07 15:15

Updated : 2024-11-21 06:26


NVD link : CVE-2021-41794

Mitre link : CVE-2021-41794

CVE.ORG link : CVE-2021-41794


JSON object : View

Products Affected

open5gs

  • open5gs
CWE
CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')