Impact Analysis

The impact of this vulnerability includes the potential exposure of internal infrastructure details due to the 500 Internal Server Error response. Since the attacker can be unauthenticated and inject control characters, this could lead to information disclosure that might aid further attacks or exploitation of the system.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the free5GC UDM component to version 4.2.2 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in the free5GC UDM component prior to version 4.2.2. The UDM fails to properly validate the supi path parameter in six GET handlers of the nudm-sdm (Subscriber Data Management) service. An unauthenticated attacker can exploit this by injecting control characters into the SUPI parameter, which causes the UDM to forward a malformed request to the UDR. This results in a 500 Internal Server Error response that exposes internal infrastructure details.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in free5GC UDM allows an unauthenticated attacker to cause a 500 Internal Server Error that exposes sensitive internal infrastructure details, including hostnames, ports, API paths, and versions. This exposure of internal information could potentially lead to further attacks on internal 5G core components.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the exposure of sensitive internal details and the potential for further exploitation could be considered a risk to data confidentiality and system integrity, which are key aspects of these regulations.

Therefore, this vulnerability may negatively impact compliance with common security and privacy standards by increasing the risk of unauthorized access or data breaches, but no direct statement about regulatory compliance impact is provided.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending specially crafted GET requests to the affected nudm-sdm service endpoints with malformed SUPI parameters containing control characters. If the system is vulnerable, it will respond with a 500 Internal Server Error that includes internal infrastructure details such as the UDR's hostname, port, API path structure, and version.

The affected GET handlers to test are:

• GET /:supi/smf-select-data
• GET /:supi
• GET /:supi/trace-data
• GET /:supi/ue-context-in-smf-data
• GET /:supi/nssai
• GET /:supi/sm-data

Example command using curl to test one endpoint (replace <base_url> with your UDM service URL):

curl -v "<base_url>/\x01smf-select-data"

If the response is a 500 Internal Server Error containing internal details, the system is vulnerable.

Useful 0 Not Useful 0