CVE-2025-65568
📋 TL;DR
A denial-of-service vulnerability in the omec-project UPF's pfcpiface component allows attackers to crash the UPF by sending specially crafted PFCP Session Establishment Request messages with malformed IPv4 address fields. This disrupts user-plane services and affects systems running the vulnerable UPF version. Organizations using omec-project UPF for 5G core networks are impacted.
💻 Affected Systems
- omec-project UPF (pfcpiface component)
📦 What is this software?
Upf by Opennetworking
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of user-plane services, causing widespread service outage for all users served by the UPF, potentially affecting critical communications.
Likely Case
Repeated UPF crashes leading to intermittent service disruptions, increased operational overhead for restarting services, and potential data loss for in-flight sessions.
If Mitigated
Limited impact with proper network segmentation and monitoring, allowing quick detection and response to attack attempts.
🎯 Exploit Status
Exploitation requires ability to send PFCP messages to the N4 interface after association. The vulnerability is straightforward to trigger once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub issue #962 for latest patched version
Vendor Advisory: https://github.com/omec-project/upf/issues/962
Restart Required: Yes
Instructions:
1. Monitor GitHub issue #962 for official patch release. 2. Update to patched version when available. 3. Restart UPF services after patching. 4. Verify fix through testing.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to UPF N4/PFCP endpoint to trusted gNB and SMF entities only
iptables -A INPUT -p tcp --dport [N4_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [N4_PORT] -j DROP
Input Validation Enhancement
allAdd additional validation for PFCP messages before processing
Implement custom validation layer or modify parseFAR() to check IPv4 address length before ip2int() call
🧯 If You Can't Patch
- Implement strict network access controls to limit who can communicate with the UPF N4 interface
- Deploy monitoring and alerting for UPF process crashes with automated restart capabilities
🔍 How to Verify
Check if Vulnerable:
Check UPF version: dpkg -l | grep upf-epc-pfcpiface or check package manager for version 2.1.3-devCheck Version:
dpkg -l | grep upf-epc-pfcpiface || rpm -qa | grep upf-epc-pfcpiface || check UPF configuration files for versionVerify Fix Applied:
After patching, test with malformed PFCP Session Establishment Request containing empty IPv4 address field - UPF should reject message without crashing📡 Detection & Monitoring
Log Indicators:
- UPF process crashes/restarts
- panic messages containing 'index-out-of-range' or 'out-of-bounds read'
- PFCP association failures
Network Indicators:
- Unusual PFCP Session Establishment Request patterns
- Multiple PFCP messages with malformed IPv4 fields from single source
SIEM Query:
source="upf.log" AND ("panic" OR "crash" OR "index-out-of-range")