free5gc UDM Improper Input Validation Vulnerability in Nudm_UECM Service

A vulnerability exists in the free5gc Unified Data Management (UDM) component, specifically in versions through 1.4.1, where remote attackers can inject control characters into the ueId parameter of the Nudm_UECM GET request. This injection causes internal URL parsing errors, exposing system implementation details that could be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UECM service may be affected.

Impact

Exploitation of this vulnerability leads to a 500 Internal Server Error, with the UDM service failing to process the request due to invalid control characters in the UE ID. This error can disrupt normal service operations and, according to the free5gc team, the information exposure could aid in service probing.

Reproduction

The vulnerability can be reproduced by sending a GET request to the Nudm_UECM endpoint with a ueId parameter that includes URL-encoded control characters, such as NUL bytes. This can be done using a tool like curl, after disabling OAuth in the free5GC configuration for testing purposes.

Remediation

Users are advised to upgrade to free5GC version 4.0.2 or later, which includes the necessary input validation fix. The issue has been addressed in the official free5GC UDM repository.