Open5GS UPF Denial-of-Service Vulnerability via Crafted PFCP Session Establishment Request

A denial-of-service vulnerability has been identified in the Open5GS User Plane Function (UPF) version 2.7.2 and earlier. The issue allows remote attackers to cause a crash by sending a specially crafted Packet Forwarding Control Protocol (PFCP) SessionEstablishmentRequest packet. This packet must include a restoration indication set to true, along with a Tunnel Endpoint Identifier (TEID) that is either zero or exceeds the size of the PFCP TEID pool.

Impact

Exploiting this vulnerability leads to a crash of the Open5GS UPF process, causing a disruption in service.

Reproduction

The vulnerability can be reproduced by sending a PFCP NewSessionEstablishmentRequest packet with the restoration indication set to true and a TEID that is either zero or greater than the size of the PFCP TEID pool. This can be done using a Go program that establishes a UDP connection to the UPF PFCP server, sends an association setup request, and then sends the session establishment request with the crafted payload. The UPF will crash upon receiving the packet, reaching an assertion failure that causes the process to abort.

Remediation

Users can update to Open5GS version 2.7.3 or later, where this vulnerability has been fixed.