Executive Summary

This vulnerability exists in free5GC, an open-source 5G core network implementation, prior to version 4.2.2. The issue arises because the SMF component mounts the UPI management route group without inbound OAuth2 middleware, allowing unauthenticated access. Specifically, the DELETE /upi/v1/upNodesLinks/{upNodeRef} handler dereferences a UPF object after an asynchronous release, even though some nodes (AN-typed) do not have a UPF object. This causes a nil-pointer panic when an unauthenticated attacker sends a DELETE request targeting any AN entry by name.

As a result, the handler crashes and mutates the in-memory user-plane topology before panicking, leading to a denial-of-service (DoS) condition triggered by an off-path network attacker without authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by an unauthenticated attacker to cause a denial-of-service (DoS) condition in the free5GC system. By sending a specially crafted DELETE request, the attacker can crash the handler responsible for managing user-plane topology, causing the system to panic and potentially disrupting network services.

Since the attack is unauthenticated and can be triggered remotely (off-path network attacker), it poses a significant risk to the availability and stability of the 5G core network infrastructure using vulnerable versions of free5GC.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in free5GC version 4.2.2. Immediate mitigation involves upgrading free5GC to version 4.2.2 or later.

Until the upgrade can be applied, restrict access to the DELETE /upi/v1/upNodesLinks/{upNodeRef} endpoint to trusted and authenticated users only, to prevent unauthenticated off-path attackers from triggering the denial-of-service.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in free5GC's SMF component allows unauthenticated attackers to trigger a denial-of-service (DoS) condition and mutate in-memory user-plane topology without authorization. This lack of authentication and authorization (CWE-306 and CWE-862) can lead to unauthorized state changes and service disruption.

Such unauthorized access and denial of service could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of system integrity, availability, and prevention of unauthorized access to network functions and data.

Specifically, the vulnerability allows off-path attackers to cause persistent disruption and unauthorized deletion of network entries, which may violate requirements for secure access controls and system availability mandated by these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to send an unauthenticated DELETE request to the vulnerable free5GC SMF UPI management API endpoint and observing if the SMF process crashes or returns a 500 error.

A practical detection method is to issue a DELETE HTTP request to the endpoint `/upi/v1/upNodesLinks/{upNodeRef}` with an AN node reference, for example `gNB1`, without any authentication headers.

If the system is vulnerable, the request will cause a nil-pointer panic in the SMF logs and return a 500 Internal Server Error response. This indicates the presence of the vulnerability.

Example command using curl:

• curl -X DELETE http://<smf-ip>:<port>/upi/v1/upNodesLinks/gNB1

Replace `<smf-ip>` and `<port>` with the actual IP address and port of the SMF service. No authentication headers should be included to test the vulnerability.

Monitoring the SMF logs for nil-pointer panic stack traces around `api_upi.go:99` after sending this request can also confirm the vulnerability.

Useful 0 Not Useful 0