free5GC Denial-of-Service Vulnerability via Malformed PFCP Session Modification Request

A denial-of-service vulnerability has been identified in free5GC version 4.1.0. The issue arises in the UPF component when it processes PFCP Session Modification Requests containing oversized Local SEID headers. This flaw allows attackers to manipulate session identifiers in a way that causes the UPF to crash, creating a runtime error due to invalid memory access. The vulnerability exploits a lack of proper bounds checking on the SEID values, particularly when the maximum unsigned integer value is used, leading to integer wrap-around and negative indexing errors.

Impact

Exploitation of this vulnerability causes a crash in the UPF component, disrupting service and potentially leading to a loss of session management functionality.

Reproduction

The vulnerability can be reproduced by sending a PFCP Session Modification Request to a free5GC UPF server with a Local SEID header value of 0xFFFFFFFFFFFFFFFF. This can be done using a custom Go program that establishes a PFCP association with the UPF and then sends the malformed session modification request. The UPF server will panic and crash, displaying a runtime error indicating an index out-of-range error caused by the negative SEID index.

Remediation

Users can update to free5GC version 4.1.1, where this vulnerability has been fixed.