OMEC UPF Denial-of-Service Vulnerability Due to Missing Recovery Time Stamp in PFCP Association Setup Request

A denial-of-service vulnerability has been identified in the OMEC UPF component, specifically in version upf-epc-pfcpiface:2.1.3-dev. The issue arises when the User Plane Function (UPF) receives a Packet Forwarding Control Protocol (PFCP) Association Setup Request that lacks the mandatory Recovery Time Stamp Information Element. Instead of validating the message, the association setup handler attempts to access the missing information, leading to a nil pointer dereference. This causes a panic that crashes the UPF process, disrupting user-plane services. The vulnerability can be exploited by sending crafted PFCP Association Setup Request messages to the UPF's N4/PFCP endpoint, causing repeated crashes and service disruptions.

Impact

Exploitation of this vulnerability causes the UPF process to crash, terminating the service and disrupting user-plane functions.

Reproduction

The vulnerability can be reproduced by sending a PFCP Association Setup Request that omits the Recovery Time Stamp Information Element. This can be done using a UDP connection to the UPF's PFCP endpoint, with the request crafted to exclude the mandatory timestamp. Once the request is sent, the UPF will crash due to the unhandled nil pointer dereference.

Remediation

Users can update to the latest version of OMEC UPF where this vulnerability has been fixed. Instructions for updating can be found in the project's GitHub repository.