free5GC SMF Nil Pointer Dereference Vulnerability in PFCP SessionReportRequest Handling

A remote denial-of-service vulnerability has been identified in the free5GC Session Management Function (SMF) component, specifically in versions through 4.1.0. The issue arises when SMF processes a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. The vulnerability causes SMF to panic and terminate, creating a denial-of-service condition. The crash occurs because the report processing function dereferences a nil pointer, a situation that arises when the UsageReport Information Element (IE) is present but the mandatory URRID sub-IE is missing. This flaw allows an attacker, or a spoofed UPF, to disrupt the SMF process by sending crafted PFCP messages.

Impact

Exploitation of this vulnerability leads to a nil pointer dereference, causing the SMF process to crash and terminate. This behavior has been confirmed in the free5GC v4.1.0 environment.

Reproduction

The vulnerability can be reproduced by sending a PFCP SessionReportRequest that includes the ReportType.USAR flag and a UsageReport, but omits the required URRID sub-IE. This can be done using a fake UPF that simulates the missing URRID while interacting with the SMF over the PFCP interface.

Remediation

No upstream fix is currently available. However, it is recommended to add validation for the URRID sub-IE in the PFCP report handling to prevent nil pointer dereferences. Workarounds include using an ACL or firewall to restrict PFCP traffic to trusted UPF IPs, inspecting or dropping malformed PFCP SessionReportRequest messages at the network edge, and adding error recovery around PFCP handler dispatches to prevent process terminations.