free5GC SMF Nil Pointer Dereference Vulnerability in PFCP SessionReportRequest Handling

A remote denial-of-service vulnerability has been identified in the free5GC Session Management Function (SMF) component, specifically in versions through 1.4.1. The issue arises from the SMF's handling of malformed PFCP SessionReportRequest messages on the PFCP interface (UDP port 8805). When the ReportType.DLDR flag is set but the DownlinkDataReport Information Element (IE) is missing, the SMF process panics due to a nil pointer dereference, causing the SMF process to crash. This vulnerability can be exploited remotely by sending the malformed PFCP message, leading to a process termination and disruption of service.

Impact

Exploitation of this vulnerability causes the SMF process to crash, terminating the session management function and disrupting active sessions.

Reproduction

The vulnerability can be reproduced by sending a PFCP SessionReportRequest with the ReportType.DLDR flag enabled, while omitting the DownlinkDataReport IE. This can be done using a UDP connection to the SMF's PFCP port (8805), after establishing a PDU session with a user equipment (UE) device. Once the session is active, the SMF will be in a state ready to receive the malformed report, which will trigger the nil pointer dereference and cause the process to crash.

Remediation

Users can apply network-level filtering to restrict access to the SMF PFCP interface, allowing only trusted UPF IPs. Additionally, malformed PFCP SessionReportRequest messages can be dropped or inspected at the network edge, where feasible. As a temporary measure, the PFCP handler dispatch can be wrapped with a recover() function to prevent the process crash, although this does not address the root cause of the vulnerability.