free5gc UDM NULL Pointer Dereference Vulnerability Leading to Denial-of-Service

A NULL pointer dereference vulnerability has been identified in the free5gc UDM component, specifically in versions through 1.4.0. This vulnerability allows remote, unauthenticated attackers to cause a service panic, leading to a denial-of-service condition. The issue arises when the UDM service processes a PUT request with an unexpected ueId value, causing the service to crash. All deployments of free5gc using the UDM component may be affected.

Impact

Exploitation of this vulnerability causes a service panic due to a NULL pointer dereference, crashing the UDM service and disrupting its functionality.

Reproduction

To reproduce this vulnerability, send a PUT request to the UDM's 'nudm-uecm' endpoint with an invalid ueId value, such as 'ZZZ_NOT_MATCH'. Ensure that the request includes the appropriate headers and a crafted JSON payload. The UDM service will then panic and return a 500 Internal Server Error response.

Remediation

Users are advised to upgrade to free5gc UDM version 1.4.1 or later, where this vulnerability has been fixed. The issue is addressed by implementing proper validation for the ueId parameter, ensuring that invalid values do not cause a service crash.