Free5GC SMF Denial-of-Service Vulnerability via Malformed PFCP SessionReportRequest

A denial-of-service vulnerability has been identified in Free5GC SMF versions through 4.1.0. The issue arises in the PFCP component, specifically within the HandlePfcpSessionReportRequest function of handler.go. The vulnerability can be exploited remotely by sending a SessionReportRequest that lacks the mandatory ReportType Information Element (IE). When the ReportType is omitted, the SMF process crashes due to a nil pointer dereference, terminating the SMF process. This vulnerability is particularly impactful when the session state is DEACTIVATED, as the PFCP dispatcher does not recover from panics, leading to a complete process failure.

Impact

Exploitation of this vulnerability causes the SMF process to crash, disrupting service and requiring a manual restart.

Reproduction

The vulnerability can be reproduced by sending a PFCP SessionReportRequest without the ReportType IE to an SMF instance with an active session that has been deactivated. This can be done using a UDP connection to the SMF's PFCP port, after establishing a PFCP association and simulating the necessary session state with a fake UPF that waits for a SessionModificationRequest before sending the malformed report request. The absence of the ReportType IE triggers the nil pointer dereference, causing the SMF process to panic and crash.

Remediation

Users are advised to update to Free5GC SMF version 4.1.1 or later, where this vulnerability has been fixed.