Open5GS UPF Assertion Failure Vulnerability in PFCP Session Validation
Vulnerability
A vulnerability in the Open5GS User Plane Function (UPF) in versions prior to v2.7.2 leads to an assertion failure during the validation of PFCP session parameters. This issue arises when the UPF processes a PFCP Session Establishment Request containing an invalid PDN Type value of 0, which can be sent by the Session Management Function (SMF) or introduced through a direct attack. The UPF fails to properly handle this invalid value, causing a fatal assertion error that crashes the UPF daemon.
Impact
Exploitation of this vulnerability causes the UPF process to crash, terminating the session management functionality and potentially disrupting ongoing data flows.
Reproduction
The vulnerability can be reproduced by sending a PFCP Session Establishment Request to the UPF with the PDN Type set to 0. This can be done using a packet crafting tool like Scapy, by simulating an SMF that sends the request with the invalid PDN Type. Once the packet is received by the UPF, it will crash due to the assertion failure.
Remediation
Users can upgrade to Open5GS UPF version 2.7.3 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.