free5GC SMF Nil Pointer Dereference Vulnerability in PFCP SessionReportRequest Handling

A denial-of-service vulnerability has been identified in the free5GC Session Management Function (SMF) component, specifically in versions through 4.1.0. The issue arises when SMF processes a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. The vulnerability can be exploited by sending a SessionReportRequest that includes the ReportType.USAR flag and a UsageReport Information Element (IE), but omits the mandatory URRID sub-IE. This omission leads to a nil pointer dereference, causing SMF to panic and terminate the process, thereby disrupting service.

Impact

Exploitation of this vulnerability causes the SMF process to crash, leading to a remote denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a PFCP SessionReportRequest to the SMF that includes the ReportType.USAR flag and a UsageReport IE, but omits the required URRID sub-IE. This can be done using a fake UPF that simulates the sending of such a malformed request after establishing a PFCP association with the SMF.

Remediation

No upstream fix is currently available. However, it is recommended to add validation for the URRID sub-IE in the PFCP report handling to ensure that all mandatory elements are present before processing. In the absence of a patch, workarounds include using an ACL or firewall to restrict PFCP traffic to trusted UPF IPs, dropping or inspecting malformed SessionReportRequests at the network edge, and adding error recovery around PFCP message handling to prevent process termination.