free5GC go-upf Improper Input Validation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in free5GC go-upf versions through 1.2.6, which corresponds to free5GC smf versions through 1.4.0. This vulnerability arises from improper input validation and protocol compliance in the UPF component, specifically in how it handles PFCP Association Setup Request messages. Remote attackers can exploit this vulnerability by sending malformed requests, which UPF incorrectly accepts. This acceptance leads UPF to enter an inconsistent state, causing legitimate requests to disrupt SMF connections, create reconnection loops, and degrade network services. All deployments of free5GC v4.0.1 using the UPF and SMF components may be affected.

Impact

Exploitation of this vulnerability allows remote attackers to disrupt core network functionality, causing SMF to enter reconnection loops and degrade service.

Reproduction

The vulnerability can be reproduced by sending a malformed PFCP Association Setup Request to the UPF component. This malformed request is accepted by UPF, contrary to the expected behavior outlined in 3GPP TS 29.244, which requires UPF to reject such invalid messages. After the malformed request is accepted, sending a valid PFCP Session Establishment Request triggers a disruption in the SMF-UPF connection, causing service degradation.

Remediation

A fix for this vulnerability is currently in development. Users are advised to upgrade to a future release of free5GC once the patch is available.