Zfei10990-Cmd

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 1.4.2 **Description** This issue is an Improper Input Validation leading to Denial of Service in free5GC NRF. All deployments of free5GC using the NRF discovery service are affected. The `EncodeGroupId` function attempts to access array indices [0],[1],[2] without validating the length of the split data. When the `group-id-list` parameter contains insufficient separator characters in an HTTP GET request, the code panics with an "index out of range" error. A remote attacker can cause the NRF service to panic and crash by sending a crafted HTTP GET request with a malformed `group-id-list` parameter, resulting in a complete denial of service for the NRF discovery service. The API endpoint involved is the NRF API. **Recommendations** free5GC versions prior to 1.4.2: Apply the provided patch or restrict access to the NRF API to trusted sources only.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 1.4.2 free5GC version 4.0.1 **Description** free5GC is an open source 5G core network. A flaw exists in the AUSF component where an improper null check can lead to a denial of service. Specifically, the `GetSupiFromSuciSupiMap` function attempts to convert an interface from `interface{}` to `*context.SuciSupiMap` without verifying if the underlying value is nil. If `SuciSupiMap` is nil, the code will panic, resulting in a complete denial of service for the AUSF authentication service. This issue affects deployments using the AUSF UE authentication service, accessible via the `/nausf-auth/v1/ue-authentications` API endpoint. An attacker can trigger this by sending a crafted UE authentication request. **Recommendations** Upgrade free5GC to version 1.4.2 or later. Restrict access to the AUSF API endpoint `/nausf-auth/v1/ue-authentications` to trusted sources only.

**Name of the Vulnerable Software and Affected Versions** Free5GC versions prior to 1.4.2 **Description** Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are susceptible to a procedure panic caused by a Nil Pointer Dereference in the `/sdm-subscriptions` API endpoint. A remote attacker can cause the UDM service to panic and crash by sending a crafted POST request to the `/sdm-subscriptions` endpoint with a malformed URL path containing path traversal sequences (`../`) and a large JSON payload. The `DataChangeNotificationProcedure` function in `notifier.go` attempts to access a nil pointer without proper validation, resulting in a complete service crash. Exploitation leads to disruption of UDM functionality until recovery via restart. **Recommendations** Upgrade to Free5GC version 1.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** Free5GC versions prior to 1.4.2 **Description** The UDM component in Free5GC incorrectly handles DELETE requests with an empty `supi` path parameter. Specifically, when a client sends a DELETE request with an empty `supi` (e.g., double slashes `//` in the URL path) to the `/sdm-subscriptions` endpoint, the UDM forwards the malformed request to the UDR. The UDR correctly returns a 400 Bad Request error, but the UDM incorrectly propagates this as a 500 Internal Server Error (SYSTEM FAILURE) to the client. This behavior leaks internal error handling details and hinders clients from differentiating between client-side and server-side errors, violating REST API best practices for DELETE operations. The affected component is the UDM Nudm SDM service. **Recommendations** Upgrade to Free5GC version 1.4.2 or later to resolve this issue. As a temporary workaround, implement API gateway-level validation to reject DELETE requests with empty path parameters before they reach the UDM.

**Name of the Vulnerable Software and Affected Versions** Free5GC versions prior to 1.4.2 **Description** Free5GC’s UDM component exhibits improper error handling and HTTP method translation issues. Specifically, when handling PATCH requests to the `/sdm-subscriptions` endpoint with an empty `supi` path parameter, the UDM incorrectly converts a 400 Bad Request (received from UDR) into a 500 Internal Server Error. Additionally, the UDM incorrectly translates the PATCH method to PUT when forwarding the request to UDR. This behavior leaks internal error handling details, making it difficult for clients to differentiate between client-side and server-side errors. The issue affects deployments using the UDM Nudm SDM service and impacts the handling of PATCH operations. The `supi` parameter in the API endpoint is vulnerable. **Recommendations** Upgrade to Free5GC version 1.4.2 or later to address the issue. As a temporary workaround, implement API gateway-level validation to reject PATCH requests with empty path parameters before they reach the UDM.

**Name of the Vulnerable Software and Affected Versions** free5GC versions prior to 1.4.2 **Description** The free5GC UDR component, a user data repository for 5G mobile core networks, exhibits an information disclosure issue. The NEF component reveals internal parsing error details to remote clients, potentially aiding attackers in service fingerprinting. This affects all deployments of free5GC utilizing the Nnef PfdManagement service. The issue stems from the reliable leakage of parsing errors, such as invalid characters, to external entities. **Recommendations** Apply the patch available in free5gc/udr pull request 56.