free5GC UPF Heap-Based Buffer Overflow Vulnerability Leading to Denial-of-Service

A heap-based buffer overflow vulnerability has been identified in the free5GC User Plane Function (UPF) component, specifically in versions prior to 1.2.8. This vulnerability allows remote attackers to disrupt UPF services by sending malformed PFCP Session Modification Requests that include invalid SDF Filter length fields. The exploitation of this vulnerability causes a heap buffer overflow, leading to a crash of the UPF network element. This crash disrupts services for all connected user equipment (UEs) and can cause cascading failures that affect the Session Management Function (SMF).

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, leading to a crash of the UPF network element. This disruption affects all connected UEs and can cause additional failures in the SMF, which manages session resources for UEs.

Reproduction

The vulnerability can be reproduced by establishing a PFCP association with the UPF and then sending a PFCP Session Establishment Request. After the session is established, a PFCP Session Modification Request can be sent with a corrupted SDF Filter Information Element that includes an invalid length. This triggers the buffer overflow by causing an out-of-bounds memory access, which crashes the UPF component.

Remediation

Users should upgrade to free5GC UPF version 1.2.8 or later, where this vulnerability has been fixed.