free5GC Denial-of-Service Vulnerability in UPF Component Due to Improper PFCP Association Request Handling

A denial-of-service vulnerability has been identified in the free5GC core network framework, specifically in version 4.0.1. The issue arises within the User Plane Function (UPF) component, which improperly validates and processes malformed Packet Forwarding Control Protocol (PFCP) Association Setup Request messages. This mismanagement violates 3GPP TS 29.244 standards, allowing remote attackers to disrupt core network functionality. When UPF accepts these invalid requests, it enters an inconsistent state. As a result, subsequent legitimate PFCP Session Establishment Requests can trigger a cascading failure, disrupting the connection with the Session Management Function (SMF) and causing service degradation.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where core network functionality is disrupted, causing degradation of services that rely on stable UPF-SMF connections.

Reproduction

The vulnerability can be reproduced by sending a malformed PFCP Association Setup Request to the UPF component on port 8805. This malformed request is accepted by UPF, which then responds incorrectly, indicating the request was successfully accepted. Following this, a valid PFCP Session Establishment Request can be sent, which will cause the SMF to enter a reconnection loop, disrupting services.

Remediation

A fix for this vulnerability is currently in development. Users should upgrade to a future release of free5GC once the patch is available.