Executive Summary

This vulnerability in free5GC UPF v4.1.0 occurs because the system does not properly check the bounds of the SEID (Session Endpoint Identifier) when processing PFCP Session Deletion Requests. An unauthenticated attacker can send a request with an extremely large SEID value (e.g., 0xFFFFFFFFFFFFFFFF), which causes an integer conversion and underflow when the SEID (stored as uint64) is cast to a signed int and used as an index. This results in a negative index used to access a session slice, causing a Go runtime panic and crashing the UPF process, leading to a denial of service. [1]

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is a denial of service (DoS) condition on the free5GC User Plane Function (UPF). An attacker can remotely crash the UPF by sending a specially crafted PFCP Session Deletion Request with a large SEID value, causing the UPF to panic and stop functioning. This disrupts the network service relying on the UPF, potentially causing outages or degraded service availability. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or runtime panics in the free5GC UPF process, specifically looking for Go runtime panic messages related to 'index out of range' errors in the DeleteSess() function. Additionally, sending a crafted PFCP Session Deletion Request with a very large SEID value (e.g., 0xFFFFFFFFFFFFFFFF) can be used as a proof-of-concept test to reproduce the crash. A PoC Go program exists that establishes a PFCP association and sends such a request to trigger the vulnerability. Monitoring logs for panic stack traces referencing internal/pfcp/node.go line 678 can also help detect exploitation attempts. Specific commands are not detailed, but using the PoC or network packet crafting tools to send malformed PFCP Session Deletion Requests with large SEID values would be the approach. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying patches or updates that add proper SEID validation in the DeleteSess() function to prevent integer underflow and out-of-range slice access. Until a fix is applied, network administrators should monitor and filter PFCP Session Deletion Requests with abnormally large SEID values to prevent them from reaching the UPF. Implementing input validation or firewall rules to block malformed PFCP messages with suspicious SEID values can reduce the risk. Restarting the UPF after a crash and monitoring for repeated crashes is also advised. Ultimately, updating free5GC UPF to a version where this vulnerability is fixed is necessary. [1]

Useful 0 Not Useful 0