CVE-2023-46324

Name of the Vulnerable Software and Affected Versions free5GC udm versions prior to 1.2.0

Description The issue allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker's public key.

Recommendations For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the suci.go module in pkg/suci to minimize the risk of exploitation. Avoid using uncompressed public keys in the affected UDM until the issue is resolved.