Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The NEF component mounts the 3gpp-pfd-management API without requiring inbound OAuth2 or bearer-token authorization. This means a network attacker who can access the NEF on the SBI interface can create, read, and delete PFD-management transaction states using a forged or arbitrary bearer token, such as "Authorization: Bearer not-a-real-token."

Additionally, the route group for this API is accessible even if the running configuration's ServiceList does not declare it, so operators who believe they have disabled the service via configuration remain exposed. This vulnerability was fixed in version 4.2.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated network attacker to manipulate PFD-management transaction states on the NEF component of the 5G core network. Specifically, the attacker can create, read, and delete these states without proper authorization.

The CVSS v3.1 base score of 9.4 indicates a critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. This means the attacker can cause significant data exposure, unauthorized data modification, and service disruption.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in free5GC version 4.2.2. Immediate mitigation involves upgrading free5GC to version 4.2.2 or later.

Additionally, be aware that the NEF mounts the 3gpp-pfd-management API without inbound OAuth2/bearer-token authorization prior to 4.2.2, and the route group is reachable even if disabled in the running config. Therefore, upgrading is critical to prevent unauthorized access.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthenticated attackers to create, read, and delete sensitive Packet Flow Description (PFD) management transactions by bypassing OAuth2/bearer-token authorization in the free5GC NEF component.

Such unauthorized access can lead to leakage of sensitive application function-supplied policy data and manipulation of policy states, which may result in data integrity and availability issues.

These impacts could violate data protection requirements under standards like GDPR and HIPAA, which mandate strict controls on access to sensitive data and require maintaining data integrity and availability.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data and undermining the security controls expected to protect it.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the 3gpp-pfd-management API on the free5GC NEF component using forged or arbitrary bearer tokens. Specifically, sending HTTP requests with an Authorization header containing an invalid bearer token (e.g., "Authorization: Bearer not-a-real-token") to the NEF's Service-Based Interface (SBI) endpoints for creating, reading, or deleting PFD transactions can reveal if the system improperly allows unauthorized access.

If the NEF responds without rejecting the request (i.e., does not return 401 Unauthorized or 403 Forbidden), this indicates the vulnerability is present.

Example commands using curl to test the vulnerability include:

• curl -X GET https://<nef-ip>:<port>/nef-pfd-management/v1/pfd-transaction -H "Authorization: Bearer not-a-real-token" -k -v
• curl -X POST https://<nef-ip>:<port>/nef-pfd-management/v1/pfd-transaction -H "Authorization: Bearer not-a-real-token" -H "Content-Type: application/json" -d '{"some":"data"}' -k -v
• curl -X DELETE https://<nef-ip>:<port>/nef-pfd-management/v1/pfd-transaction/<transaction-id> -H "Authorization: Bearer not-a-real-token" -k -v

Replace <nef-ip>, <port>, and <transaction-id> with appropriate values for your environment.

Useful 0 Not Useful 0