Executive Summary

CVE-2025-65567 is a denial-of-service vulnerability in the omec-project UPF (User Plane Function) component, specifically in the pfcpiface module version upf-epc-pfcpiface:2.1.3-dev. The vulnerability occurs when the UPF receives a specially crafted PFCP Session Establishment Request containing a CreatePDR Information Element with a malformed Flow-Description string. The parser function parseFlowDesc does not properly validate the Flow-Description, leading to an out-of-bounds read of the token array. This causes a runtime panic and crashes the UPF process, resulting in denial of service. An attacker who can send PFCP Session Establishment Requests to the UPF's N4/PFCP endpoint can exploit this to repeatedly crash the UPF. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the UPF process to crash repeatedly, resulting in denial of service. Since the UPF is a critical component in the network handling user plane traffic, its crash can disrupt network services, degrade performance, and cause outages. An attacker exploiting this vulnerability can cause service interruptions by sending malformed PFCP Session Establishment Requests, potentially impacting availability and reliability of network functions relying on the UPF. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the UPF logs for runtime panics or crashes related to the parseFlowDesc function, especially after receiving PFCP Session Establishment Requests. Network detection involves capturing PFCP messages and inspecting Session Establishment Requests for malformed Flow-Description strings, such as those missing the 'to' clause (e.g., 'permit out ip from any'). A practical approach is to use packet capture tools like tcpdump or Wireshark to filter PFCP traffic on the N4 interface and analyze the CreatePDR IE for malformed Flow-Descriptions. Additionally, reproducing the issue using the provided Go-based proof-of-concept (PoC) can help confirm vulnerability presence. Example command to capture PFCP traffic: tcpdump -i <interface> udp port 8805 -w pfcp_capture.pcap [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or filtering access to the UPF's N4/PFCP endpoint to trusted sources only, preventing attackers from sending crafted PFCP Session Establishment Requests. Monitoring and alerting on UPF process crashes or panics can help detect exploitation attempts. Applying any available patches or updates from the omec-project that address this issue is recommended once released. In the meantime, consider implementing network-level protections such as firewall rules to block unauthorized PFCP traffic and rate limiting to reduce the impact of potential exploit attempts. [1]

Useful 0 Not Useful 0