Can you explain this vulnerability to me?

This vulnerability exists in free5GC, an open-source 5G core network implementation, prior to version 4.2.2. The SMF component mounts the UPI management route group without inbound OAuth2 middleware, allowing unauthenticated access. Specifically, the POST /upi/v1/upNodesLinks create-or-update handler accepts attacker-controlled JSON input and passes it directly into a function that performs validation. If the validation fails, such as when a new UPF's IP pool overlaps with an existing UPF's pool, the SMF process terminates entirely instead of just the affected goroutine.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can cause a denial of service (DoS) condition by terminating the entire SMF process when an attacker sends a specially crafted unauthenticated POST request. This results in the SMF component stopping unexpectedly, which can disrupt the 5G core network services relying on free5GC.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes the SMF process of free5GC to terminate unexpectedly when a specific unauthenticated POST request is made to the /upi/v1/upNodesLinks endpoint with attacker-controlled JSON that triggers a UE-IP-pool overlap.

To detect this vulnerability on your system, monitor the status of the free5GC SMF process for unexpected exits or crashes, especially after POST requests to /upi/v1/upNodesLinks.

You can use the following commands to check the status of the SMF process running in Docker:

• docker ps -a | grep smf # Check if the SMF container has exited unexpectedly
• docker logs <smf_container_id> # Review logs for fatal errors related to UpNodesFromConfiguration or UE-IP-pool overlap

Additionally, network monitoring tools can be used to detect suspicious POST requests to the /upi/v1/upNodesLinks endpoint.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade free5GC to version 4.2.2 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, restrict access to the SMF's UPI management route group, especially the /upi/v1/upNodesLinks endpoint, to trusted and authenticated users only.

Monitor the SMF process for unexpected terminations and restart it as necessary to maintain service availability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in free5GC's SMF component causes a denial of service by crashing the entire SMF process when an unauthenticated attacker sends a crafted POST request with overlapping UE IP pools. This impacts the availability of the 5G core network services.

While the vulnerability affects availability, there is no indication from the provided information that it leads to loss of confidentiality or integrity of data.

Since common standards and regulations like GDPR and HIPAA emphasize the protection of personal data confidentiality, integrity, and availability, this vulnerability primarily impacts the availability aspect.

Disruption of network services due to denial of service could lead to non-compliance with availability requirements in these regulations, potentially affecting service continuity and reliability.

However, there is no direct evidence from the provided context that this vulnerability results in unauthorized data access or data breaches.

Useful 0 Not Useful 0