Free5GC Null Pointer Dereference Vulnerability in SMF Component

A null pointer dereference vulnerability has been identified in Free5GC versions through 4.1.0, specifically within the SMF component's establishPfcpSession function. This vulnerability allows a remote attacker to crash the SMF process by sending a malformed PFCP SessionEstablishmentResponse that omits the required Cause Information Element. The absence of this element leads to a nil pointer dereference, causing the SMF process to terminate unexpectedly, which can be exploited to create a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the SMF process to crash, leading to a denial-of-service condition where the service is interrupted and unavailable.

Reproduction

The vulnerability can be reproduced by configuring a rogue UPF to send a PFCP SessionEstablishmentResponse without the mandatory Cause Information Element. This can be done by first establishing a PFCP association with the SMF, then sending a crafted SessionEstablishmentResponse that includes the NodeID and UPFSEID but excludes the Cause. The SMF will crash when it processes this response, due to the missing Cause information.

Remediation

Users are advised to update to Free5GC version 4.2.0, where this vulnerability has been fixed.