Free5GC Denial-of-Service Vulnerability via Crafted POST Request to Npcf_BDTPolicyControl API

A denial-of-service vulnerability has been identified in Free5GC versions 4.0.0 and 4.0.1. The issue arises when a crafted POST request is sent to the Npcf_BDTPolicyControl API, causing the PCF component to panic and crash. This panic is triggered by an unsafe type assertion in the request handling process, where the application fails to properly verify the type of a copied object before attempting to cast it, leading to a runtime error.

Impact

Exploitation of this vulnerability causes the PCF component to panic and terminate, disrupting service availability.

Reproduction

The vulnerability can be reproduced by sending a POST request to the Npcf_BDTPolicyControl API endpoint. This request should include a JSON payload that triggers the unsafe type assertion. The PCF component must be running and, if OAuth is enabled, a valid authorization token must be included in the request.

Remediation

Users can update to Free5GC version 4.1.0, where this vulnerability has been fixed.