Executive Summary

This vulnerability exists in free5GC, an open-source implementation of the 5G core network, specifically in versions prior to 4.2.2. The Session Management Function (SMF) mounts the UPI management route group without requiring OAuth2 or bearer-token authorization middleware. As a result, a network attacker who can access the SMF on the Service-Based Interface (SBI) can send requests to UPI endpoints without any Authorization header. These unauthorized requests are processed by the SMF business handlers, allowing the attacker to perform read, write, and delete operations on UPI nodes and links.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to fully control certain management operations on the 5G core network's UPI endpoints without any authentication. The attacker can read sensitive information, modify data by injecting attacker-controlled payloads, and delete nodes or links. Given the CVSS score of 10.0 with high impact on confidentiality, integrity, and availability, this can lead to significant disruption of network services, data breaches, and potential denial of service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the UPI management route group endpoints on the SMF without providing an Authorization header and observing if the requests are accepted.

For example, you can use curl commands to test the endpoints:

• GET request to check read access: curl -v http://<SMF_IP>:<PORT>/upi/v1/upNodesLinks
• POST request to check write access: curl -v -X POST http://<SMF_IP>:<PORT>/upi/v1/upNodesLinks -d '<attacker-controlled payload>' -H 'Content-Type: application/json'
• DELETE request to check delete access: curl -v -X DELETE http://<SMF_IP>:<PORT>/upi/v1/upNodesLinks/<nodeID>

If these requests succeed without an Authorization header, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade free5GC to version 4.2.2 or later, where the issue is fixed.

Until the upgrade can be performed, restrict network access to the SMF's SBI interface to trusted sources only to prevent unauthorized access.

Additionally, monitor and block any unauthorized requests to the UPI management route group endpoints.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in free5GC's SMF UPI management interface allows unauthenticated attackers to perform unauthorized read, write, and delete operations on network topology data without proper authorization. This lack of authentication and authorization controls can lead to unauthorized access and manipulation of sensitive network information.

Such unauthorized access and potential data manipulation can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls, data integrity, and protection of sensitive information. The vulnerability's critical CVSS score (10.0) reflects high impacts on integrity and availability, which are key aspects in regulatory compliance.

By allowing attackers to bypass authentication, the vulnerability undermines the security controls necessary to meet regulatory requirements for protecting data confidentiality, integrity, and availability.

Useful 0 Not Useful 0