CVE-2025-15555
📋 TL;DR
A stack-based buffer overflow vulnerability in Open5GS allows remote attackers to execute arbitrary code or cause denial of service by manipulating the OGS_KEY_LEN argument in the VoLTE Cx-Test component. This affects Open5GS deployments up to version 2.7.6 that have the HSS component enabled. Attackers can exploit this without authentication to potentially take control of affected systems.
💻 Affected Systems
- Open5GS
📦 What is this software?
Open5gs by Open5gs
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or lateral movement within the network.
Likely Case
Denial of service causing VoLTE service disruption or system crashes.
If Mitigated
Limited impact with proper network segmentation and exploit prevention controls in place.
🎯 Exploit Status
The vulnerability is remotely exploitable without authentication, but specific exploit details are not publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 54dda041211098730221d0ae20a2f9f9173e7a21
Vendor Advisory: https://github.com/open5gs/open5gs/issues/4177
Restart Required: Yes
Instructions:
1. Update Open5GS to a version containing commit 54dda041211098730221d0ae20a2f9f9173e7a21
2. Rebuild from source if using source installation
3. Restart all Open5GS services
4. Verify the patch is applied by checking the commit hash
🔧 Temporary Workarounds
Disable HSS component
linuxTemporarily disable the HSS component if not required for your deployment
systemctl stop open5gs-hssd
disable the hss service in your configuration
Network segmentation
linuxRestrict network access to the HSS component using firewall rules
iptables -A INPUT -p tcp --dport <hss_port> -s <trusted_ips> -j ACCEPT
iptables -A INPUT -p tcp --dport <hss_port> -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the HSS component from untrusted networks
- Deploy intrusion prevention systems (IPS) with buffer overflow detection rules
🔍 How to Verify
Check if Vulnerable:
Check Open5GS version: open5gs --version should show 2.7.6 or earlier. Verify HSS component is running: systemctl status open5gs-hssdCheck Version:
open5gs --versionVerify Fix Applied:
Verify the commit hash contains 54dda041211098730221d0ae20a2f9f9173e7a21. Check version is newer than 2.7.6.📡 Detection & Monitoring
Log Indicators:
- Abnormal HSS process crashes
- Unusual memory access patterns in system logs
- Failed authentication attempts with malformed OGS_KEY_LEN
Network Indicators:
- Unusual traffic patterns to HSS port
- Malformed Diameter protocol messages
- Unexpected connection attempts to Cx-Test interface
SIEM Query:
source="open5gs" AND (process="hss" OR component="hss-cx-path") AND (event="crash" OR event="buffer_overflow" OR message="*OGS_KEY_LEN*")🔗 References
- https://github.com/open5gs/open5gs/
- https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21
- https://github.com/open5gs/open5gs/issues/4177
- https://github.com/open5gs/open5gs/issues/4177#event-21256395700
- https://vuldb.com/?ctiid.343795
- https://vuldb.com/?id.343795
- https://vuldb.com/?submit.741901
- https://github.com/open5gs/open5gs/issues/4177#event-21256395700
