Free5GC SMF Null Pointer Dereference Vulnerability in Session Deletion Response

A null pointer dereference vulnerability has been identified in Free5GC versions through 4.1.0, specifically within the Session Deletion Response function of the SMF component. This vulnerability allows a rogue or malicious UPF to cause a denial-of-service condition by responding to a PFCP Session Deletion Request with a malformed Session Deletion Response that omits the required Cause Information Element. As a result, the SMF fails to perform a proper nil-check, leading to a runtime panic that crashes the SMF process. The vulnerability can be exploited remotely, without any authentication.

Impact

Exploitation of this vulnerability causes a runtime panic in the SMF component, leading to a crash of the SMF process.

Reproduction

The vulnerability can be reproduced by simulating a UPF that responds to a PFCP Session Deletion Request with a Session Deletion Response that lacks the mandatory Cause Information Element. This can be done using a crafted UDP packet that removes the Cause IE, which triggers the nil pointer dereference in the SMF's response handling.

Remediation

Users are advised to update to Free5GC version 4.2.0 or later, where this vulnerability has been fixed.