free5GC UPF Integer Underflow Vulnerability in PFCP Session Deletion Requests Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in the free5GC User Plane Function (UPF) version 4.1.0. The issue arises from improper bounds checking on the Session Endpoint Identifier (SEID) in Packet Forwarding Control Protocol (PFCP) Session Deletion Requests. An unauthenticated remote attacker can exploit this vulnerability by sending a request with an excessively large SEID, such as 0xFFFFFFFFFFFFFFFF. This causes an integer overflow when the SEID is converted from uint64 to int, leading to a negative index that causes a runtime panic and crashes the UPF process. The vulnerability has been reproduced in free5GC v4.1.0, with the crash occurring during session lookup and deletion processes.

Impact

Exploitation of this vulnerability causes a runtime panic in the UPF process, specifically an 'index out of range' error due to the negative index created by the integer overflow. This panic disrupts the normal operation of the UPF, causing a crash that requires manual intervention to resolve.

Reproduction

The vulnerability can be reproduced by sending a PFCP Session Deletion Request with a large SEID value, such as 0xFFFFFFFFFFFFFFFF, to the UPF PFCP server. This can be done using a crafted UDP packet that simulates the PFCP message, after establishing a PFCP association with the UPF.

Remediation

Users can update to free5GC version 4.1.0 or later, where this vulnerability has been fixed.