Free5GC SMF Denial-of-Service Vulnerability via Malformed PFCP Response

A denial-of-service vulnerability has been identified in Free5GC versions through 4.1.0, specifically within the SMF component. The issue arises in the 'ResolveNodeIdToIp' function of 'internal/sbi/processor/datapath.go'. When the SMF sends a PFCP Session Establishment Request, a rogue UPF can respond with a SessionEstablishmentResponse that lacks the required NodeID information. This omission causes the SMF to attempt to process a nil NodeID pointer, leading to a runtime panic and crashing the SMF process. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes the SMF process to crash, terminating its operation and disrupting service.

Reproduction

The vulnerability can be reproduced by using a rogue UPF server that sends a PFCP SessionEstablishmentResponse missing the NodeID IE. This can be done by establishing a PFCP association with the SMF, then sending a crafted response that omits the required NodeID, which triggers the nil pointer dereference and crashes the SMF.

Remediation

Users are advised to update to Free5GC version 4.2.0, where this vulnerability has been fixed.