Ome Project UPF Denial-of-Service Vulnerability in PFCP Interface Component

A denial-of-service vulnerability has been identified in the omec-project UPF, specifically in the pfcpiface component, version upf-epc-pfcpiface:2.1.3-dev. The issue arises after a PFCP association when a crafted PFCP Session Establishment Request is sent. This request includes a CreatePDR with a malformed Flow-Description that is not properly validated. The Flow-Description parser can read beyond the limits of the provided buffer, leading to a panic that crashes the UPF process. An attacker capable of sending PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this vulnerability, causing the UPF to crash repeatedly.

Impact

Exploiting this vulnerability causes the UPF process to panic and terminate, leading to a crash of the UPF component.

Reproduction

The vulnerability can be reproduced by sending a PFCP Session Establishment Request with a malformed Flow-Description to the UPF's N4/PFCP endpoint. This can be done using a crafted UDP packet that includes the malformed Flow-Description in the CreatePDR of the Session Establishment Request. The UPF will crash upon processing the malformed Flow-Description, as indicated by a runtime panic due to an out-of-bounds read.

Remediation

Users can update to the latest version of the omec-project UPF where this vulnerability has been fixed.