Executive Summary

CVE-2025-65568 is a denial-of-service vulnerability in the omec-project UPF (User Plane Function) version upf-epc-pfcpiface:2.1.3-dev. It occurs when the UPF processes a PFCP Session Establishment Request containing a CreateFAR with an empty or truncated IPv4 address field. The vulnerability arises because the code does not properly validate the IPv4 address field and attempts to convert it to an integer, leading to an out-of-bounds read and a runtime panic (index out of range). This causes the UPF process to crash, disrupting user-plane services. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by an attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint. By sending a specially crafted request with a malformed CreateFAR containing an empty or truncated IPv4 address, the attacker can cause the UPF to crash repeatedly. This results in a denial-of-service condition, disrupting user-plane services and potentially causing service outages or degraded network performance. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the UPF logs for panic or crash messages related to out-of-bounds reads in the ip2int function during PFCP Session Establishment Requests. Specifically, look for logs showing a runtime panic with an index out of range error triggered by malformed PFCP Session Establishment Requests containing CreateFAR with empty or truncated IPv4 address fields. Additionally, you can use network packet capture tools (e.g., tcpdump) to capture PFCP messages on the N4/PFCP interface and inspect Session Establishment Requests for CreateFAR entries with missing or empty IPv4 addresses. Commands to assist detection include: 1) `journalctl -u upf -f` or checking UPF service logs for panic stack traces referencing ip2int or parseFAR functions; 2) `tcpdump -i <interface> port 8805 -w pfcp_capture.pcap` to capture PFCP traffic (port 8805 is the default PFCP port), then analyze the capture with Wireshark or tshark to identify malformed CreateFAR entries with empty IPv4 addresses. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include: 1) Restrict or filter access to the UPF's N4/PFCP endpoint to trusted sources only, preventing untrusted or malicious actors from sending PFCP Session Establishment Requests; 2) Monitor and block malformed PFCP messages that contain CreateFAR entries with empty or truncated IPv4 address fields; 3) If possible, apply any available patches or updates from the omec-project that address this vulnerability; 4) As a temporary workaround, consider implementing network-level protections such as firewall rules or PFCP message validation proxies to detect and drop malformed PFCP Session Establishment Requests before they reach the UPF. These steps help prevent attackers from exploiting the vulnerability to crash the UPF and cause denial-of-service. [1]

Useful 0 Not Useful 0