Open5GS Null Pointer Dereference Vulnerability in FAR-ID Handler

A null pointer dereference vulnerability has been identified in Open5GS versions through 2.7.5. This issue occurs in the FAR-ID Handler component, specifically within the function 'ogs_pfcp_handle_create_pdr' in 'lib/pfcp/handler.c'. The vulnerability can be exploited remotely, although it requires a high level of complexity. When a PFCP Session Establishment Request is received without a mandatory FAR-ID, the UPF accepts the session but crashes upon processing a matching GTP-U packet, leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a crash in the UPF component, disrupting service and potentially leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a PFCP Session Establishment Request that includes a CreatePDR without a FAR-ID. This can be done using a crafted Go program that utilizes the 'github.com/wmnsk/go-pfcp' library to manipulate the PFCP message. After the session is established, sending a GTP-U packet that matches the PDR will trigger the crash, as the missing FAR-ID causes the UPF to dereference a null pointer.

Remediation

Users are advised to update to the latest version of Open5GS, where this vulnerability has been fixed.