Executive Summary

This vulnerability exists in the free5GC NRF component's access-token generation logic. Specifically, the AccessTokenScopeCheck() function bypasses all scope validation when the access token request includes the parameter targetNF set to "NRF". This means an attacker can craft a request with targetNF=NRF and obtain an access token with any arbitrary scope, including privileged scopes they are not authorized for. This happens because the function returns early without validating scopes for targetNF=NRF, allowing unauthorized Network Functions to escalate privileges by accessing services they shouldn't. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to obtain access tokens with arbitrary scopes by bypassing scope validation. As a result, unauthorized Network Functions can escalate privileges and access protected services and sensitive subscriber data within the 5G core network. For example, a UDR NF could access UDM services it is not authorized to use, potentially leading to unauthorized data access and compromise of network security. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring access token requests sent to the NRF component, specifically looking for requests where the parameter targetNF is set to "NRF" and the scope requested is beyond the authorized scopes for the requesting NF. One can reproduce the detection by sending an access token request with parameters such as grant_type=client_credentials, nfInstanceId=<NF_INSTANCE_ID>, nfType=<NF_TYPE>, targetNfType=NRF, and scope=<privileged_scope>. If the NRF issues a token with the requested privileged scope despite the NF not being authorized, the vulnerability is present. Commands to test this could involve using curl or similar HTTP clients to send such requests to the NRF's token endpoint and observe the responses. For example: ```bash curl -X POST https://<NRF_ADDRESS>/oauth/token -d 'grant_type=client_credentials&nfInstanceId=<NF_INSTANCE_ID>&nfType=<NF_TYPE>&targetNfType=NRF&scope=nudm-sdm' -H 'Content-Type: application/x-www-form-urlencoded' ``` If the response returns HTTP 200 OK with the requested scope, the vulnerability exists. Proper behavior would be HTTP 403 Forbidden or an invalid_scope error. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating the free5gc NRF component to a version that includes the patch removing the early exit condition in AccessTokenScopeCheck() that bypasses scope validation for targetNF=NRF. The patch enforces strict scope validation against a predefined list of valid NRF service scopes and rejects invalid scope requests with an "invalid_scope" error. Until the patch is applied, restrict access to the NRF token endpoint to trusted clients only and monitor for suspicious token requests with targetNF=NRF. Applying network-level controls and auditing token issuance logs can help reduce exploitation risk. [2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to obtain access tokens with arbitrary scopes, enabling unauthorized access to protected services and sensitive subscriber data within the 5G core network. Such unauthorized access and potential data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information. Therefore, the vulnerability poses a risk to compliance with these common standards and regulations by undermining access control mechanisms and potentially exposing protected data. [1]

Useful 0 Not Useful 0