OmeC Project UPF Denial-of-Service Vulnerability via PFCP Association Setup Request

A denial-of-service vulnerability has been identified in the OmeC Project UPF component, specifically in versions prior to and including upf-epc-pfcpiface:2.1.3-dev. The issue arises when the UPF receives a PFCP Association Setup Request that omits the mandatory NodeID Information Element. The association setup handler then dereferences a nil pointer, leading to a panic that terminates the UPF process. This vulnerability can be exploited by an attacker who can send PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint, causing repeated crashes and disrupting user-plane services.

Impact

Exploitation of this vulnerability causes the UPF process to crash, leading to a denial-of-service condition that disrupts user-plane services.

Reproduction

The vulnerability can be reproduced by sending a PFCP Association Setup Request that lacks the NodeID Information Element to a UPF instance. This can be done using a UDP connection to the UPF's N4/PFCP endpoint, with the request crafted to omit the required NodeID. Once the malformed request is sent, the UPF will crash due to the nil pointer dereference.

Remediation

Users can update to UPF version 2.1.3-dev or later, where this vulnerability has been fixed.