How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability impacts the availability of the free5GC BSF service by causing the BSF container to crash and exit, resulting in a denial-of-service condition until the service is restarted.

There is no indication from the provided information that this vulnerability affects confidentiality or integrity of data, nor does it mention any direct impact on compliance with standards such as GDPR or HIPAA.

Since the vulnerability requires authenticated access and only causes service disruption without data leakage or modification, its compliance impact is limited to availability concerns.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing the BSF (Binding Support Function) process crashes with the Go runtime fatal error: "concurrent map read and map write." The BSF container exits with code 2, causing the BSF SBI surface to go down until it is restarted.

To detect the vulnerability on your system, you can monitor the BSF logs for the specific Go runtime panic message and container exit codes.

Additionally, you can attempt to reproduce the issue by sending concurrent authenticated PUT requests to the endpoint /nbsf-management/v1/subscriptions/{subId} with fresh subscription IDs that do not exist, which triggers the unsynchronized map write and causes the crash.

Suggested commands to detect or reproduce the issue include:

• Use curl or a similar HTTP client to send concurrent PUT requests with valid OAuth2 tokens to the vulnerable endpoint, for example:
• curl -X PUT -H "Authorization: Bearer <valid_token>" -d '{"subscriptionData": ...}' https://<bsf-host>/nbsf-management/v1/subscriptions/<nonexistent_subId>
• Run multiple such requests in parallel (e.g., using a shell loop or a tool like GNU parallel) to simulate concurrent load.
• Monitor BSF container logs for the Go runtime panic message:
• docker logs <bsf_container_id> | grep 'concurrent map read and map write'
• Check the container exit code to confirm crash:
• docker inspect <bsf_container_id> --format='{{.State.ExitCode}}'

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The impact of this vulnerability is that under concurrent authenticated PUT requests, the BSF component of free5GC can crash due to a runtime panic caused by concurrent map access. This results in the BSF container exiting and the entire BSF SBI surface becoming unavailable until the service is restarted. Essentially, this leads to a denial of service (DoS) condition affecting the 5G core network functionality.

Useful 0 Not Useful 0

Can you explain this vulnerability to me?

This vulnerability exists in free5GC, an open-source 5G core network implementation, specifically in versions prior to 4.2.2. The issue is in the BSF PUT /nbsf-management/v1/subscriptions/{subId} handler, which performs an unsynchronized write operation on a global Subscriptions map. While the handler reads the map under a read lock, if a subscription does not exist, it writes to the map without acquiring the necessary mutex lock. This unsynchronized concurrent access can cause the Go runtime to panic due to concurrent map read and write operations, leading to the BSF container crashing and exiting with code 2.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in free5GC version 4.2.2. Immediate mitigation involves upgrading the free5GC BSF component to version 4.2.2 or later.

Until the upgrade can be performed, consider restarting the BSF container if it crashes due to this issue, as the BSF SBI surface goes down until restart.

Useful 0 Not Useful 0