free5gc UDM Improper Error Handling Vulnerability in UE Context Management DELETE Service

A vulnerability exists in the free5gc Unified Data Management (UDM) component, specifically in versions through 1.4.1. The issue arises from inadequate input validation on the pduSessionId parameter within the Nudm_UECM DELETE endpoint. This flaw allows the service to process invalid pduSessionId inputs, such as non-numeric strings or integers exceeding the 32-bit range, resulting in a 500 Internal Server Error. Such errors leak internal implementation details, which could be exploited for service fingerprinting.

Impact

Exploitation of this vulnerability causes the UDM service to return detailed internal error messages to clients, including parsing errors from the strconv.ParseInt function. This not only exposes sensitive implementation details but also disrupts normal error handling by misclassifying client errors as server errors, creating a false impression of server-side issues.

Reproduction

To reproduce this vulnerability, send a DELETE request to the Nudm_UECM v1 endpoint with an invalid pduSessionId. This can be done using curl. For example, a numeric string that exceeds the 32-bit integer limit will trigger a strconv.ParseInt range error, while a non-numeric string will cause a syntax error. The server's response will include the raw error message, demonstrating the information leak.

Remediation

Users are advised to upgrade to free5gc version 1.4.2 or later, where this vulnerability has been fixed. The official patch is available in the free5gc UDM repository, merged as part of pull request #76.