Free5GC Nudm_SubscriberDataManagement API Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Free5GC versions 4.0.0 and 4.0.1. The issue arises in the Nudm_SubscriberDataManagement API, where a GET request lacking certain optional parameters leads to a 500 Internal Server Error. This error is caused by an unhandled index out-of-range panic, disrupting normal service operation. The vulnerability can be reproduced by sending a GET request to the Nudm_SubscriberDataManagement API without the supported-features parameter, or by omitting the single-nssai parameter when accessing specific endpoints. The UDM component fails to process these requests correctly, resulting in a generic server error instead of a proper client-side response.

Impact

Exploitation of this vulnerability causes a service panic, leading to a 500 Internal Server Error. This disrupts normal operations of the UDM component within the Free5GC framework.

Reproduction

To reproduce this vulnerability, start Free5GC using Docker Compose and ensure that the UDM component is running. If OAuth is enabled, retrieve a valid authorization token for the Nudm_SubscriberDataManagement service. Then, send a GET request to the Nudm_SubscriberDataManagement API without including the supported-features parameter. Alternatively, omit the single-nssai parameter when making a GET request to the Nudm_SubscriberDataManagement API's id-translation-result endpoint. The UDM component will respond with a 500 Internal Server Error, demonstrating the denial-of-service condition.

Remediation

Users can update to Free5GC version 4.1.0, where this vulnerability has been fixed.