OmeC Project UPF Denial-of-Service Vulnerability in PFCP Session Report Response Handling

A denial-of-service vulnerability has been identified in the OmeC Project UPF component, specifically in version upf-epc-pfcpiface:2.1.3-dev. The issue arises when the UPF receives a PFCP Session Report Response that lacks the required Cause Information Element. Instead of rejecting the malformed message, the session report handler dereferences a nil pointer, causing a panic that crashes the UPF process. This flaw can be exploited by an attacker who sends PFCP Session Report Response messages to the UPF's N4/PFCP endpoint, leading to repeated crashes and disruption of user-plane services.

Impact

Exploitation of this vulnerability causes the UPF process to crash, terminating its operation and disrupting user-plane services.

Reproduction

The vulnerability can be reproduced by sending a PFCP Session Report Response message to the UPF's N4/PFCP endpoint without the mandatory Cause Information Element. This can be done using a crafted UDP packet that simulates the missing Cause IE, which the UPF's session report handler will process incorrectly, leading to a nil pointer dereference and a crash.

Remediation

Users can update to the patched version of the UPF component, which includes a fix for this vulnerability. Instructions for updating can be found in the project's GitHub repository.