How can this vulnerability impact me? :

This vulnerability can cause a denial of service (DoS) on systems running Open5GS up to version 2.7.6 by crashing the SGW-C process when it receives malformed Bearer QoS IEs in GTPv2 messages. The impact is loss of availability of the affected service, potentially disrupting all connected users relying on the SGW-C component. The attack requires local access and is considered easy to exploit, with a public proof-of-concept exploit available. It does not affect confidentiality or integrity, but system availability is compromised until the patch is applied. [2, 3, 4]

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

CVE-2025-15418 is a denial of service vulnerability in Open5GS up to version 2.7.6. It occurs in the function ogs_gtp2_parse_bearer_qos, which handles Bearer QoS Information Elements (IEs) in GTPv2 messages. The vulnerability arises because the function contains a hard assertion that the IE length must match a fixed expected length. If a malformed or incorrectly sized Bearer QoS IE is received, this assertion fails, causing the process to abort and crash the SGW-C (Serving Gateway Control) component. This flaw allows an attacker with local access to send malformed GTPv2 messages that crash the service, resulting in denial of service. The issue has been fixed by replacing the hard assertions with defensive length checks and proper error handling to prevent crashes. [1, 3, 4]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for fatal assertion failure logs in the Open5GS SGW-C or SMF components, specifically messages like '[gtp] FATAL: ogs_gtp2_parse_bearer_qos: Assertion octet->len == GTP2_BEARER_QOS_LEN failed'. Additionally, detection can involve capturing and analyzing GTPv2 Create Session Request messages containing malformed Bearer QoS Information Elements (IEs) with incorrect lengths (e.g., length not equal to 22 bytes). Network packet capture tools such as tcpdump or Wireshark can be used to filter GTPv2 traffic on UDP port 2123 and inspect the Bearer QoS IE length. Example command to capture relevant packets: `tcpdump -i <interface> udp port 2123 -w capture.pcap`. Then analyze the captured packets for malformed Bearer QoS IEs. Also, checking Open5GS logs for the specific assertion failure messages can help detect exploitation attempts. [3, 4]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to apply the official patch identified by commit 4e913d21f2c032b187815f063dbab5ebe65fe83a, which replaces fatal assertions with defensive length validations and proper error handling to prevent process crashes. Until the patch is applied, restrict local access to the affected Open5GS components to prevent exploitation, as the attack requires local access. Monitoring logs for assertion failures and malformed GTPv2 messages can also help in early detection. Promptly updating Open5GS to a version including this patch is strongly recommended to ensure system stability and prevent denial of service. [1, 2]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability causes a denial of service by crashing the Open5GS SGW-C process when processing malformed Bearer QoS Information Elements. It impacts system availability but does not affect confidentiality or integrity of data. Therefore, it primarily affects availability aspects of compliance. However, there is no specific information provided about direct impacts on compliance with standards like GDPR or HIPAA in the provided resources. [2]

Useful 0 Not Useful 0