Ome Project UPF Denial-of-Service Vulnerability in PFCP Session Establishment

A denial-of-service vulnerability exists in the omec-project UPF, specifically in the pfcpiface component, version upf-epc-pfcpiface:2.1.3-dev. The issue arises after a PFCP association is established, when a PFCP Session Establishment Request is received without the mandatory F-SEID (CPF-SEID) Information Element. The session establishment handler fails to validate this properly, leading to a nil pointer dereference. This causes a panic that terminates the UPF process. An attacker capable of sending PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this vulnerability, causing repeated crashes of the UPF and disruption of user-plane services.

Impact

Exploitation of this vulnerability causes the UPF process to crash, terminating the service and disrupting user-plane operations.

Reproduction

The vulnerability can be reproduced by sending a PFCP Session Establishment Request to a UPF instance running version upf-epc-pfcpiface:2.1.3-dev, without including the mandatory F-SEID Information Element. This can be done using a crafted UDP packet that omits the required information, which will trigger a nil pointer dereference in the UPF's session handling code, causing a runtime panic and crash.

Remediation

Users can update to the latest version of the omec-project UPF where this issue has been fixed.