free5GC Heap Buffer Overflow Vulnerability in UPF Component Allowing Denial-of-Service

A heap buffer overflow vulnerability has been identified in the UPF component of free5GC version 4.0.1. This vulnerability allows remote attackers to cause a denial-of-service by sending a crafted PFCP Session Modification Request. The issue arises in the SDFFilterFields.UnmarshalBinary function within sdf-filter.go, where the parser fails to validate the length of SDF Filter Information Elements, leading to out-of-bounds memory access, a runtime panic, and a crash of the UPF network element.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to a crash of the UPF network element. This disruption terminates all active PFCP sessions, causes a service outage for all connected user equipment, and creates a cascading failure that affects the SMF functionality.

Reproduction

The vulnerability can be reproduced by establishing a PFCP association and session, then sending a malicious PFCP Session Modification Request that includes corrupted SDF Filter Information Elements with invalid length fields. This malformed request triggers the buffer overflow by causing the UPF to access memory out of bounds, resulting in a crash.

Remediation

The vulnerability has been patched. Users should upgrade to the next release of free5GC that includes this fix.