Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, prior to version 4.2.2. It occurs in the PCF POST /npcf-policyauthorization/v1/app-sessions handler when it receives a single authenticated request with specific conditions: the ascReqData.suppFeat field equals "1" (which enables traffic-routing feature negotiation), and the medComponents entries include an afAppId but do not include an AfRoutReq.

Under these conditions, the code calls the function provisioningOfTrafficRoutingInfo with a nil routeReq parameter. The function then attempts to access fields of routeReq without checking if it is nil, leading to a runtime error caused by dereferencing a nil pointer. This causes the application to panic, which the Gin framework recovers from by returning an HTTP 500 error.

This vulnerability is fixed in free5GC version 4.2.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the free5GC PCF component to panic and return HTTP 500 errors when processing certain authenticated requests. This results in a denial of service condition where legitimate traffic-routing requests may fail, potentially disrupting network operations.

Since the vulnerability leads to a runtime error and service interruption, it can impact the availability of the 5G core network functions relying on free5GC, affecting users and services dependent on those network capabilities.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade free5GC to version 4.2.2 or later, where the issue has been fixed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending an authenticated POST request to the /npcf-policyauthorization/v1/app-sessions endpoint of the free5GC PCF component with the ascReqData.suppFeat field set to "1" and medComponents entries including an afAppId but no AfRoutReq. Such a request triggers a panic resulting in an HTTP 500 Internal Server Error response.

A practical detection method is to craft and send this specific request using a tool like curl or any HTTP client that supports OAuth2 authentication tokens.

• Use curl to send a POST request with a valid OAuth2 token and the crafted JSON payload that sets suppFeat to "1" and includes medComponents with afAppId but omits AfRoutReq.
• Observe if the server responds with HTTP 500 errors, indicating the vulnerability is present.

Example curl command (replace <TOKEN> and <PCF_URL> accordingly):

• curl -X POST <PCF_URL>/npcf-policyauthorization/v1/app-sessions -H "Authorization: Bearer <TOKEN>" -H "Content-Type: application/json" -d '{"ascReqData": {"suppFeat": "1"}, "medComponents": [{"afAppId": "someAppId"}]}' -v

If the server crashes or returns HTTP 500 errors upon this request, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0