Executive Summary

This vulnerability affects free5GC, an open-source 5G core network implementation. Specifically, prior to version 4.2.2, the NEF component mounts the nnef-pfdmanagement route group without requiring inbound OAuth2 or bearer-token authorization.

As a result, a network attacker who can access the NEF on the Service-Based Interface (SBI) can use a forged or arbitrary bearer token (for example, "Authorization: Bearer not-a-real-token") to perform unauthorized actions.

• Read PFD application data via GET /applications and GET /applications/{appID}
• Create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}

The root cause is that the route group is mounted without any inbound authentication middleware, despite being declared in the runtime ServiceList and expected to be protected by OAuth2 settings.

This vulnerability was fixed in free5GC version 4.2.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to bypass authentication and gain unauthorized access to sensitive network functions.

• An attacker can read PFD (Policy and Charging Function) application data, potentially exposing sensitive information.
• An attacker can create or delete PFD change-notification subscriptions, which could disrupt network operations or monitoring.

Given the CVSS base score of 10.0, this is a critical vulnerability with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in free5GC version 4.2.2. Immediate mitigation involves upgrading free5GC to version 4.2.2 or later.

This vulnerability arises because the nnef-pfdmanagement route group is mounted without inbound OAuth2/bearer-token authorization. Ensuring that OAuth2 authorization is properly enforced on this route group can mitigate the issue.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized access to sensitive Packet Flow Description (PFD) application data and the ability to create or delete subscriptions, which can lead to data exposure, integrity compromise, and service disruption.

Such unauthorized access and potential data breaches could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and mandate protection against unauthorized disclosure and modification.

Because the vulnerability enables attackers to read sensitive traffic classification policies and manipulate subscriptions without proper authorization, it undermines the confidentiality, integrity, and availability principles central to these regulations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the free5GC NEF's nnef-pfdmanagement API endpoints without valid OAuth2 or bearer-token authorization. Specifically, you can test if the endpoints /applications, /applications/{appID}, /subscriptions, and /subscriptions/{subID} are accessible with a forged or arbitrary bearer token.

Suggested commands include using curl to send HTTP requests with an invalid bearer token to these endpoints and checking if access is granted:

• curl -H "Authorization: Bearer not-a-real-token" http://<NEF_IP>:<PORT>/applications
• curl -H "Authorization: Bearer not-a-real-token" http://<NEF_IP>:<PORT>/applications/<appID>
• curl -X POST -H "Authorization: Bearer not-a-real-token" http://<NEF_IP>:<PORT>/subscriptions -d '<subscription_data>'
• curl -X DELETE -H "Authorization: Bearer not-a-real-token" http://<NEF_IP>:<PORT>/subscriptions/<subID>

If these requests succeed without proper authorization errors, it indicates the vulnerability is present.

Useful 0 Not Useful 0