Linziyuu

**Name of the Vulnerable Software and Affected Versions** free5GC version 4.2.1 **Description** The Network Exposure Function (NEF) mounts the `nnef-pfdmanagement` route group without inbound OAuth2 or bearer-token authorization. This allows a network attacker with access to the Service-Based Interface (SBI) to use forged or arbitrary bearer tokens to perform unauthorized actions. Specifically, attackers can read PFD application data via the endpoints "/applications" and "/applications/{appID}", and create or delete PFD change-notification subscriptions using "/subscriptions" and "/subscriptions/{subID}". This occurs because the route group is mounted without the necessary inbound authentication middleware, despite being declared in the runtime `ServiceList` where operators expect protection via NRF-issued OAuth2. **Recommendations** Update free5GC to a version that incorporates the fix from pull request 23 in the NEF repository. As a temporary workaround, restrict network access to the NEF Service-Based Interface (SBI) to ensure only trusted entities can reach the `nnef-pfdmanagement` endpoints.

**Name of the Vulnerable Software and Affected Versions** free5GC versions 4.1.0 through 4.2.1 **Description** A nil-pointer dereference occurs in the PCF `HandleCreateSmPolicyRequest` function when a downstream OpenAPI consumer call to the UDR lookup returns a `404 Not Found` error. The handler logs the error but continues execution instead of returning, subsequently dereferencing a nil response struct. This results in an HTTP 500 Internal Server Error. The issue can be triggered via a POST request to the '/npcf-smpolicycontrol/v1/sm-policies' endpoint, specifically when providing input that causes the UDR lookup to fail, such as an unknown `dnn` variable. In version 4.2.1, this endpoint is accessible without an `Authorization` header. **Recommendations** Update free5GC to a version that incorporates the fix from pull request 62 in the PCF repository. As a temporary workaround, restrict access to the '/npcf-smpolicycontrol/v1/sm-policies' endpoint to authorized users only to minimize the risk of unauthenticated exploitation.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The PCF handler for the endpoint "/npcf-policyauthorization/v1/app-sessions" contains a flaw that causes a runtime panic when processing a specific authenticated request. This occurs when the `ascReqData.suppFeat` variable is set to "1" (which enables traffic-routing feature negotiation) and the `medComponents` entries provide an `afAppId` but omit the `AfRoutReq`. In this scenario, the system calls the `provisioningOfTrafficRoutingInfo()` function with a null `routeReq` variable and attempts to dereference its fields, such as `RouteToLocs`, without a prior nil check. This results in an invalid memory address or nil pointer dereference. While the Gin recovery mechanism prevents the entire PCF process from crashing by converting the panic into an HTTP 500 error, an authenticated user can repeatedly trigger this path to cause a per-request denial-of-service (DoS) on the app-session creation process. **Recommendations** Update to version 4.2.2. As a temporary workaround, avoid setting the `ascReqData.suppFeat` variable to "1" when `AfRoutReq` is absent in requests to the "/npcf-policyauthorization/v1/app-sessions" endpoint.

**Name of the Vulnerable Software and Affected Versions** free5GC BSF version 4.2.1 **Description** An unsynchronized write occurs on the global `Subscriptions` map within the BSF handler for the endpoint '/nbsf-management/v1/subscriptions/{subId}'. While the handler reads the map using a read-lock via the `GetSubscription()` function, the `ReplaceIndividualSubcription()` function writes to the same map without acquiring a mutex when a subscription does not exist. Under concurrent authenticated PUT requests, this leads to a concurrent map read and map write, causing the Go runtime to trigger a non-recoverable fatal error that terminates the process. This results in a denial-of-service (DoS) where the entire BSF service becomes unavailable until it is restarted. The attack requires a valid `nbsf-management` OAuth2 access token and targets the `subId` variable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Network Exposure Function (NEF) in free5GC terminates the entire process when a stored PFD-subscription `notifyUri` cannot be reached. This occurs within the `PfdChangeNotifier.FlushNotifications()` function, where the notifier calls `NnefPFDmanagementNotify()`. If a delivery error occurs, the system invokes `logger.PFDManageLog.Fatal(err)`, which is equivalent to `os.Exit(1)` in Go, causing the process to exit with status 1 and dropping the entire Service Based Interface (SBI) surface until a restart occurs. An attacker can exploit this by creating a PFD subscription with a chosen unreachable `notifyUri` and then triggering a PFD change. The delivery attempt happens asynchronously, meaning the triggering request may return a success code before the NEF process terminates. This results in a complete loss of availability for the NEF service. **Recommendations** Update to version 4.2.2. As a temporary workaround, restrict access to the NEF SBI surface to trusted sources to prevent unauthorized users from creating PFD subscriptions with malicious `notifyUri` values.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Network Exposure Function (NEF) in free5GC mounts the 'nnef-callback' route group without inbound OAuth2 or bearer-token authorization. This allows an attacker to reach the SMF-callback handler using a forged or arbitrary bearer token, as the request body is parsed and dispatched into the business logic instead of being rejected at the authentication boundary. The NEF fails to authenticate the producer Network Function (NF) identity before processing callback content. If an attacker obtains or guesses a valid `NotifId`, they can submit forged callbacks to act on real subscription states, potentially corrupting traffic-influence or PFD-management views and affecting downstream policy decisions. The issue is accessible via the endpoint '/nnef-callback/v1/notification/smf' and remains reachable even if the `ServiceList` does not declare the route group. The vulnerability involves the `NotifId` variable and the `SmfNotification` function. **Recommendations** Update to version 4.2.2. As a temporary workaround, restrict network access to the NEF SBI interface to ensure only trusted Network Functions can reach the '/nnef-callback/v1/notification/smf' endpoint.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Session Management Function (SMF) in free5GC mounts the `UPI` management route group without inbound OAuth2 middleware, allowing unauthenticated access. The `POST` endpoint '/upi/v1/upNodesLinks' accepts attacker-controlled JSON and passes it to the `UpNodesFromConfiguration()` function. This function calls `logger.InitLog.Fatalf()` upon several validation failures, such as the UE-IP-pool overlap check, invalid-pool, or static-pool-exclusion failures. Because `Fatalf` is equivalent to `os.Exit(1)`, it terminates the entire SMF process rather than just the request goroutine, leading to a complete loss of SMF service, including PDU-session establishment and UE policy lookups, until the process is restarted. **Recommendations** Update to version 4.2.2. As a temporary workaround, restrict network access to the SMF Service Based Interface (SBI) to prevent unauthenticated requests from reaching the '/upi/v1/upNodesLinks' endpoint.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Network Exposure Function (NEF) in free5GC contains a nil-pointer dereference issue within the `PatchIndividualApplicationPFDManagement()` function. This occurs when a PATCH request is sent to the endpoint "/3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}" while the upstream Unified Data Repository (UDR) call fails and the consumer wrapper returns an error with a nil `*ProblemDetails` object. In this specific error branch, the handler attempts to read `problemDetails.Cause` despite `problemDetails` being nil, leading to a runtime panic. The Gin recovery mechanism converts this panic into an HTTP 500 Internal Server Error. This issue can be triggered without an Authorization header as the route group is mounted without inbound authentication middleware. **Recommendations** Update to version 4.2.2. As a temporary workaround, restrict access to the "/3gpp-pfd-management/v1/{afId}/transactions/{transId}/applications/{appId}" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The UDR `nudr-dr` handler for the endpoint "DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions" contains a nil-pointer dereference. This occurs when a request is made with a nonexistent `subsId` after a preparatory authenticated EE-subscription has been created to allocate UE state. The handler identifies the missing entry and sets a 404 error but fails to return, subsequently attempting to access `UESubsData.EeSubscriptionCollection[subsId].AmfSubscriptionInfos`. This results in a runtime panic that is converted into an HTTP 500 error by the Gin recovery mechanism. An authenticated attacker with a valid `nudr-dr` OAuth2 access token can repeatedly trigger this panic, leading to a denial-of-service (DoS) through resource degradation. **Recommendations** Update to version 4.2.2.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The UDR `nudr-dr` handler in free5GC contains an issue where a single authenticated request can cause a panic. This occurs when a request is made to the endpoint "DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions" and the provided `ueId` does not exist in the `UESubsCollection`. The system identifies the missing user and sets a 404 USER NOT FOUND error, but fails to stop execution. It subsequently attempts a Go type assertion on a nil interface using the `RemoveAmfSubscriptionsInfoProcedure()` function, leading to an interface conversion panic. While the Gin recovery mechanism converts this panic into an HTTP 500 error, the endpoint remains susceptible to repeated panics, which can be used to sustain a per-request denial-of-service (DoS) by increasing CPU and log write overhead. **Recommendations** Update to version 4.2.2. As a temporary workaround, restrict access to the "DELETE /subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The NRF root SBI endpoint "POST /oauth2/token" contains a parser-level type-confusion bug. The handler in `NFs/nrf/internal/sbi/api accesstoken.go` uses reflection over `models.NrfAccessTokenAccessTokenReq` but only special-cases plain `string` and `NrfNfManagementNfType` fields, treating all other fields as `models.PlmnId`. When an attacker provides a field name in the form body that is incompatible with the `models.PlmnId` type (such as a slice or a different struct), the `reflect.Value.Set()` function triggers a panic. While the Gin recovery mechanism converts these panics into HTTP 500 errors, the endpoint remains remotely panicable via unauthenticated form-encoded requests. This can be triggered using several parameters, including `requesterPlmnList`, `requesterSnssaiList`, `requesterSnpnList`, `targetSnpn`, `targetSnssaiList`, and `targetNsiList`. **Recommendations** Update to version 4.2.2.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Network Exposure Function (NEF) mounts the '3gpp-traffic-influence' API without requiring inbound OAuth2 or bearer-token authorization. A network attacker with access to the NEF on the Service Based Interface (SBI) can perform create, read, patch, and delete operations on traffic-influence subscriptions. This can be achieved by omitting the `Authorization` header entirely or by using a forged bearer token. This allows for the creation of `AnyUeInd=true` subscriptions to affect group or any-UE traffic steering. Additionally, the route group remains reachable even if the `ServiceList` in the running configuration does not declare it, meaning operators cannot disable the service via configuration to mitigate the risk. **Recommendations** Update to version 4.2.2.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Network Exposure Function (NEF) mounts the 'nnef-oam' route group without requiring inbound OAuth2 or bearer-token authorization. A network attacker with access to the NEF on the Service Based Interface (SBI) can access the OAM route without an `Authorization` header, resulting in a 200 OK response. While the current OAM handler is a stub that returns `null`, the defect is scoped to the entire route group. Consequently, any future Operations, Administration, and Maintenance (OAM) operations added to this group will lack an authentication boundary by default, allowing anonymous probing and potential unauthorized execution of future administrative functions. **Recommendations** Update to version 4.2.2.

**Name of the Vulnerable Software and Affected Versions** free5GC SMF version 4.2.1 **Description** The SMF mounts the `UPI` management route group without inbound OAuth2 middleware, allowing unauthenticated access. A flaw in the `DeleteUpNodeLink` function causes a nil-pointer dereference when processing requests for Access Network (AN) typed nodes, as these nodes are constructed without a `UPF` object. Specifically, the handler calls `upNode.UPF.CancelAssociation()` unconditionally, leading to a panic. Furthermore, the `UpNodeDelete(upNodeRef)` function is executed before the panic occurs, resulting in the mutation of the in-memory user-plane topology. An off-path network attacker can exploit this by sending a `DELETE` request to the endpoint "/upi/v1/upNodesLinks/{upNodeRef}" using the `upNodeRef` variable, which can delete arbitrary named entries and deny the SMF's ability to use those nodes for legitimate sessions. **Recommendations** Update free5GC SMF to a version that incorporates the fix from pull request 199. As a temporary workaround, restrict network access to the SMF SBI interface to authorized sources only to prevent unauthenticated access to the "/upi/v1/upNodesLinks/" endpoint.

**Name of the Vulnerable Software and Affected Versions** free5GC version 4.2.1 **Description** The Session Management Function (SMF) mounts the `UPI` management route group without OAuth2 or bearer-token authorization middleware. This allows a network attacker with access to the Service Based Interface (SBI) to perform unauthorized operations by sending requests without an `Authorization` header. The issue is specific to the `UPI` route group, as other groups like `nsmf-oam` are correctly protected. Technical details include the ability to perform the following operations: - Read operations via the endpoint '/upi/v1/upNodesLinks'. - Write operations via the endpoint '/upi/v1/upNodesLinks' using a `POST` request to inject attacker-controlled UPF nodes and link payloads. - Delete operations via the endpoint '/upi/v1/upNodesLinks/{nodeID}'. This lack of authentication enables an attacker to read the UP-plane topology, poison the SMF's view of UPFs to bias PDU session selection, or disrupt legitimate UPF participation through deletions.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The Network Exposure Function (NEF) in free5GC mounts the '3gpp-pfd-management' API without inbound OAuth2 or bearer-token authorization. A network attacker with access to the Service Based Interface (SBI) can use forged or arbitrary bearer tokens to create, read, and delete PFD-management transaction states. This allows for the poisoning of policy state used by the Session Management Function (SMF) and User Plane Function (UPF) for traffic classification, leakage of application function policy data, and denial of service for legitimate application detection rules. Technical details include: - API Endpoints: '/3gpp-pfd-management/v1/{scsAsID}/transactions' and '/3gpp-pfd-management/v1/{scsAsID}/transactions/{transID}' - Vulnerable Parameters: `Authorization` header - Vulnerable Functions: `PostPFDManagementTransactions()`, `GetIndividualPFDManagementTransaction()`, and `DeleteIndividualPFDManagementTransaction()` Additionally, the route group remains reachable even if the `ServiceList` in the running configuration does not declare it, meaning the service cannot be disabled via this configuration setting. **Recommendations** Update to version 4.2.2.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 4.2.2 **Description** The PCF Npcf SMPolicyControl service lacks authentication middleware in the `NewServer()` function, where the `smPolicyGroup` route group is created without attaching the `RouterAuthorizationCheck` middleware. This allows unauthenticated requests to bypass OAuth token validation and reach business logic. This issue can lead to the disclosure of subscriber SUPI (Subscription Permanent Identifier). The affected endpoints are "/npcf-smpolicycontrol/v1/sm-policies", "/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}", "/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/update", and "/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}/delete". **Recommendations** Update to version 4.2.2.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 1.2.2 **Description** free5GC CHF has an out-of-bounds slice access issue within the `nchf-convergedcharging` service. A valid, authenticated request to the `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` **API Endpoint** can cause a server-side panic in the `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` function due to an out-of-range slice access. While Gin recovery may convert the panic into an HTTP 500 error, the recharge path remains susceptible to repeated panic triggers, potentially degrading recharge functionality and flooding logs. Deployments lacking equivalent recovery mechanisms may experience more significant service disruptions. The issue involves accessing a slice outside its defined bounds, leading to unexpected program behavior. **Recommendations** Versions prior to 1.2.2: Restrict access to the `nchf-convergedcharging` recharge endpoint to only trusted NF callers. Versions prior to 1.2.2: Implement rate limiting or network ACLs before the CHF SBI interface to reduce repeated attempts to trigger the panic. Versions prior to 1.2.2: If the recharge API is not required, temporarily disable or block external access to this route. Versions prior to 1.2.2: Ensure panic recovery, monitoring, and alerting are enabled.

**Name of the Vulnerable Software and Affected Versions** free5GC SMF versions up to and including 1.4.1 **Description** free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. The SMF component experiences a panic and terminates when processing a malformed PFCP SessionReportRequest on the PFCP interface (UDP/8805). This issue occurs when receiving a malformed message via the `PFCP` interface. No upstream fix is currently available. Mitigation strategies include applying Access Control Lists (ACLs) or a firewall to the `PFCP` interface to restrict access to trusted UPF IPs, dropping or inspecting malformed `PFCP SessionReportRequest` messages at the network edge, or adding a recover function around the `PFCP` handler dispatch to prevent complete process termination. **Recommendations** free5GC SMF versions up to and including 1.4.1: Apply ACL/firewall rules to the `PFCP` interface (UDP/8805) to allow only trusted UPF IPs to connect. free5GC SMF versions up to and including 1.4.1: Drop or inspect malformed `PFCP SessionReportRequest` messages at the network edge. free5GC SMF versions up to and including 1.4.1: Add a recover function around the `PFCP` handler dispatch to prevent process termination.

**Name of the Vulnerable Software and Affected Versions** free5GC SMF versions up to and including 1.4.1 **Description** free5GC SMF provides the Session Management Function for free5GC, an open-source project for 5G mobile core networks. The software experiences a panic and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. The issue occurs when receiving a malformed message via the PFCP interface, specifically a `SessionReportRequest`. No upstream fix is currently available. Mitigation strategies include restricting access to the PFCP interface to trusted UPF IPs, dropping or inspecting malformed PFCP SessionReportRequest messages at the network edge, or adding recover() around PFCP handler dispatch to prevent complete process termination. **Recommendations** free5GC SMF versions up to and including 1.4.1: Apply ACL/firewall rules to the PFCP interface to allow only trusted UPF IPs to connect. free5GC SMF versions up to and including 1.4.1: Drop or inspect malformed PFCP SessionReportRequest messages at the network edge. free5GC SMF versions up to and including 1.4.1: Add recover() around PFCP handler dispatch to avoid whole-process termination as a mitigation.