📄 Description (English)
A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue.
🤖 AI Executive Summary
A stack-based buffer overflow vulnerability exists in Open5GS versions up to 2.7.6 affecting the VoLTE Cx-Test component. The flaw in the hss_ogs_diam_cx_mar_cb function can be exploited remotely by manipulating the OGS_KEY_LEN argument, potentially allowing attackers to execute arbitrary code or cause denial of service. With a CVSS score of 7.3 and publicly available exploits, this poses an immediate threat to telecommunications infrastructure.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 5, 2026 09:49
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability directly impacts Saudi telecommunications operators (STC, Mobily, Zain) and government telecom infrastructure managed by CITC. VoLTE services are critical for voice communications in Saudi Arabia's 5G rollout. Exploitation could compromise call quality, enable eavesdropping on VoLTE calls, or disrupt emergency services (112/999). Banking sector VoIP systems and government secure communications relying on Open5GS are also at risk. The vulnerability affects core network elements, making it a critical infrastructure concern for SAMA-regulated financial institutions using VoLTE for secure communications.
🏢 Affected Saudi Sectors
Telecommunications (STC, Mobily, Zain)
Government (CITC, NCA)
Banking (SAMA-regulated institutions)
Healthcare (VoLTE emergency services)
Energy (ARAMCO communications)
Critical Infrastructure
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Open5GS deployments in your network using version 2.7.6 or earlier
2. Isolate affected HSS (Home Subscriber Server) and Cx-Test components from untrusted networks
3. Implement network segmentation to restrict access to Diameter protocol (port 3868/TCP-UDP)
4. Enable enhanced logging on Cx interface for forensic analysis
PATCHING:
1. Apply patch commit 54dda041211098730221d0ae20a2f9f9173e7a21 immediately
2. Upgrade to Open5GS version 2.7.7 or later
3. Test patches in staging environment before production deployment
4. Coordinate with telecom operators for maintenance windows
COMPENSATING CONTROLS (if patching delayed):
1. Deploy WAF/IPS rules to detect malformed Diameter messages with oversized OGS_KEY_LEN values
2. Implement strict input validation on Cx interface
3. Monitor for stack overflow indicators in HSS logs
4. Restrict Diameter peer connections to known, trusted network elements
5. Enable ASLR and stack canaries on HSS servers
DETECTION:
1. Monitor for Diameter messages with OGS_KEY_LEN > expected threshold (typically 32 bytes)
2. Alert on HSS process crashes or unexpected restarts
3. Track failed Diameter authentication attempts from suspicious sources
4. Implement IDS signatures for malformed Cx-MAR (Multimedia-Auth-Request) messages
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نشرات Open5GS في شبكتك التي تستخدم الإصدار 2.7.6 أو أقدم
2. عزل مكونات HSS و Cx-Test المتأثرة عن الشبكات غير الموثوقة
3. تطبيق تقسيم الشبكة لتقييد الوصول إلى بروتوكول Diameter (المنفذ 3868/TCP-UDP)
4. تفعيل السجلات المحسّنة على واجهة Cx للتحليل الجنائي
تطبيق التصحيحات:
1. تطبيق تصحيح الالتزام 54dda041211098730221d0ae20a2f9f9173e7a21 فورًا
2. الترقية إلى Open5GS الإصدار 2.7.7 أو أحدث
3. اختبار التصحيحات في بيئة التجريب قبل نشرها في الإنتاج
4. التنسيق مع مشغلي الاتصالات لنوافذ الصيانة
الضوابط البديلة (إذا تأخر التصحيح):
1. نشر قواعد WAF/IPS للكشف عن رسائل Diameter المشوهة بقيم OGS_KEY_LEN كبيرة
2. تطبيق التحقق الصارم من المدخلات على واجهة Cx
3. مراقبة مؤشرات تجاوز المكدس في سجلات HSS
4. تقييد اتصالات نظراء Diameter بالعناصر الموثوقة المعروفة
5. تفعيل ASLR وكاشفات المكدس على خوادم HSS
الكشف:
1. مراقبة رسائل Diameter بقيم OGS_KEY_LEN أكبر من الحد المتوقع (عادة 32 بايت)
2. التنبيه على أعطال عملية HSS أو إعادة التشغيل غير المتوقعة
3. تتبع محاولات المصادقة الفاشلة في Diameter من مصادر مريبة
4. تطبيق توقيعات IDS لرسائل Cx-MAR المشوهة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.14.2.1 - Secure development policy
ECC 2024 A.12.2.1 - Monitoring and logging of network activities
🔵 SAMA CSF
SAMA CSF ID.RA-1 - Asset management and vulnerability identification
SAMA CSF PR.IP-12 - Software development and supply chain security
SAMA CSF DE.CM-1 - Detection and monitoring of anomalies
🟡 ISO 27001:2022
ISO 27001:2022 A.12.2.1 - Monitoring and logging
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
ISO 27001:2022 A.14.2.1 - Secure development policy
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security patches and updates
PCI DSS 10.3 - Logging and monitoring of access
🔗 References & Sources 8
🔗
https://github.com/open5gs/open5gs/
cna@vuldb.com
Product
🔗
https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21
cna@vuldb.com
Patch
🔗
https://github.com/open5gs/open5gs/issues/4177
cna@vuldb.com
Exploit
Issue Tracking
Third Party Advisory
🔗
https://github.com/open5gs/open5gs/issues/4177#event-21256395700
cna@vuldb.com
Exploit
Issue Tracking
Third Party Advisory
🔗
https://vuldb.com/?ctiid.343795
cna@vuldb.com
Permissions Required
VDB Entry
🔗
https://vuldb.com/?id.343795
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://vuldb.com/?submit.741901
cna@vuldb.com
Third Party Advisory
VDB Entry
🔗
https://github.com/open5gs/open5gs/issues/4177#event-21256395700
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Issue Tracking
Third Party Advisory
📦 Affected Products / CPE 1 entries
open5gs:open5gs