free5GC UDR Improper Error Handling Vulnerability in Nnef PfdManagement Service

A vulnerability exists in free5GC UDR versions prior to 1.4.1, related to improper error handling that leads to information exposure. This issue affects all deployments of free5GC using the Nnef_PfdManagement service. The NEF component incorrectly returns a 500 Internal Server Error for missing PFD data, instead of a proper 404 Not Found. This misrepresentation can hinder troubleshooting and expose internal error details to remote clients, potentially aiding in server software fingerprinting.

Impact

The vulnerability causes the NEF component to leak internal parsing error details to remote clients, which can assist attackers in fingerprinting server software and logic flows. Additionally, it misrepresents the system's state by returning a 500 error for conditions that should result in a 404, blurring security-relevant error boundaries and complicating troubleshooting.

Reproduction

To reproduce this vulnerability, send a GET request to the Nnef_PfdManagement API for an application PFD that does not exist. The UDR will return a 404 error, but the NEF component will misinterpret this as a server error, resulting in a 500 Internal Server Error response. This can be verified by including the 'supported-features' parameter in the request, which triggers the error handling flaw.

Remediation

Users should upgrade to free5GC version 1.4.1 or later, where this vulnerability has been patched. The fix involves adding missing return statements after error responses to prevent invalid JSON from being sent to the NEF component.