Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, prior to version 4.2.2. The issue is that the PCF component's Npcf_SMPolicyControl service group lacks authentication middleware, allowing unauthenticated access to SM policy handlers. Specifically, certain API endpoints related to SM policies do not require a valid OAuth token to access their business logic. This happens because the smPolicyGroup route group is created without attaching the necessary router authorization middleware, unlike other PCF service groups. As a result, unauthorized users can access sensitive functions and potentially disclose subscriber SUPI information.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can have significant impacts including unauthorized access to subscriber management functions and disclosure of sensitive subscriber information such as the SUPI (Subscriber Permanent Identifier). Because the affected endpoints do not require authentication, attackers can interact with SM policy handlers without valid credentials, potentially leading to privacy breaches and unauthorized manipulation of subscriber policies.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade free5GC to version 4.2.2 or later, where the missing authentication middleware in the PCF Npcf_SMPolicyControl service has been fixed.

Until the upgrade can be applied, restrict access to the affected endpoints (/npcf-smpolicycontrol/v1/sm-policies and related paths) by network controls such as firewalls or API gateways to prevent unauthenticated access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated access to subscriber identifiers such as the SUPI (Subscription Permanent Identifier), leading to potential unauthorized disclosure of sensitive personal data.

Such unauthorized exposure of personally identifiable information (PII) can violate data protection regulations like GDPR and HIPAA, which mandate strict controls on access to sensitive personal and health-related information.

By failing to enforce authentication middleware, the affected free5GC PCF component risks non-compliance with these standards due to the confidentiality breach and lack of proper access controls.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting unauthenticated requests to the affected free5GC PCF SM policy control endpoints and observing if unauthorized access is granted or sensitive subscriber information is disclosed.

Specifically, you can test the following endpoints without providing a valid OAuth token:

• GET /npcf-smpolicycontrol/v1/sm-policies
• GET /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}
• POST /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update
• DELETE /npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete

If these requests return successful responses (e.g., HTTP 200) or reveal subscriber SUPI information without authentication, the system is vulnerable.

Example curl command to test unauthenticated access to a specific policy ID (replace {smPolicyId} with an actual ID):

• curl -v http://<pcf-ip>:<port>/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}

A vulnerable system may respond with HTTP 200 and include subscriber SUPI data in the response body even without an OAuth token.

To confirm the fix, the same requests should return HTTP 401 Unauthorized if the system is updated to version 4.2.2 or later.

Useful 0 Not Useful 0