7.5 CVE-2022-38871

Exploit

 

In Free5gc v3.0.5, the AMF breaks due to malformed NAS messages.
https://nvd.nist.gov/vuln/detail/CVE-2022-38871

Categories

CWE-400 : Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the software within a short time frame. While fuzzing is typically geared toward finding low-level implementation bugs, it can inadvertently find resource exhaustion problems. This can occur when the fuzzer generates a large number of test cases but does not restart the targeted software in between test cases. If an individual test case produces a crash, but it does not do so reliably, then an inability to handle resource exhaustion may be the cause. Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold. Ensure that protocols have specific limits of scale placed on them. Ensure that all failures in resource allocation place the system into a safe posture. Chain: Python library does not limit the resources used to process images that specify a very large number of bands (CWE-1284), leading to excessive memory consumption (CWE-789) or an integer overflow (CWE-190). Go-based workload orchestrator does not limit resource usage with unauthenticated connections, allowing a DoS by flooding the service Resource exhaustion in distributed OS because of "insufficient" IGMP queue management, as exploited in the wild per CISA KEV. Product allows attackers to cause a crash via a large number of connections. Malformed request triggers uncontrolled recursion, leading to stack exhaustion. Chain: memory leak (CWE-404) leads to resource exhaustion. Driver does not use a maximum width when invoking sscanf style functions, causing stack consumption. Large integer value for a length property in an object causes a large amount of memory allocation. Web application firewall consumes excessive memory when an HTTP request contains a large Content-Length value but no POST data. Product allows exhaustion of file descriptors when processing a large number of TCP packets. Communication product allows memory consumption with a large number of SIP requests, which cause many sessions to be created. TCP implementation allows attackers to consume CPU and prevent new connections using a TCP SYN flood attack. Port scan triggers CPU consumption with processes that attempt to read data from closed sockets. Product allows attackers to cause a denial of service via a large number of directives, each of which opens a separate window. Product allows resource exhaustion via a large number of calls that do not complete a 3-way handshake. Mail server does not properly handle deeply nested multipart MIME messages, leading to stack exhaustion. Chain: anti-virus product encounters a malformed file but returns from a function without closing a file descriptor (CWE-775) leading to file descriptor consumption (CWE-400) and failed scans.

References

MISC Exploit

https://github.com/free5gc/free5gc/issues/198
Exploit Issue Tracking Third Party Advisory


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:free5gc:free5gc:3.0.5:*:*:*:*:*:*:*

Exploits

Exploit-db.com
id description date
No known exploits
Other (github, ...)
Url
https://github.com/free5gc/free5gc/issues/198

CAPEC

id description severity
492 Regular Expression Exponential Blowup
147 XML Ping of the Death
Medium

Sherlock® flash

Take a picture of your computer network in a few clicks !

The Sherlock® flash audit solution allows you to perform an audit to strengthen the security of your IT assets. Vulnerability analysis of your physical and virtual equipment. Patch planning by priority level and time available. Detailed and intuitive reporting.

Discover this offer

Sherlock® flash: 1st instant cybersecurity audit solution