Open5GS PFCP Session Establishment Assertion Failure Vulnerability in UPF

A denial-of-service vulnerability exists in Open5GS versions 2.7.5-49-g465e90f, specifically within the User Plane Function (UPF) component. The issue arises during the processing of a Packet Forwarding Control Protocol (PFCP) Session Establishment Request when the F-TEID (Forwarding Tunnel Endpoint Identifier) channel indicator is set to 1, and the address family flags (IPv4/IPv6) do not align with the GTP-U (GPRS Tunneling Protocol User Plane) resource family configured for the selected DNN (Data Network Name). This mismatch leads to a crash, as the UPF asserts an invalid condition, causing a reachable assertion failure in the PFCP context handling.

Impact

Exploitation of this vulnerability causes the UPF to crash, leading to a denial-of-service condition where the UPF component becomes unresponsive or unavailable.

Reproduction

The vulnerability can be reproduced by starting the UPF with a DNN that has IPv4-only GTP-U resources. After establishing a PFCP association, a PFCP Session Establishment Request can be sent with a F-TEID that has the channel indicator set to 1 and only the IPv6 flag activated, creating a mismatch that triggers the crash. This issue can also be reproduced in the opposite scenario, with an IPv6-only DNN resource and an IPv4 F-TEID.

Remediation

A fix for this vulnerability has been implemented and is available in the main branch of the Open5GS repository.