Free5GC PCF Null Pointer Dereference Vulnerability in SM Policy Handling

A null pointer dereference vulnerability has been identified in the Free5GC PCF component, specifically in versions through 1.4.1. The issue arises in the 'HandleCreateSmPolicyRequest' function within 'internal/sbi/processor/smpolicy.go'. When an HTTP CreateSmPolicy request is processed, a downstream OpenAPI call may return a 404 Not Found error. Instead of handling this error gracefully, the PCF continues processing and encounters a nil pointer dereference, leading to a crash. This vulnerability can be exploited remotely, causing a denial-of-service condition by terminating the PCF process.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the PCF process, which can be remotely triggered.

Reproduction

To reproduce this vulnerability, send an HTTP POST request to the '/npcf-smpolicycontrol/v1/sm-policies' endpoint with a JSON payload that includes a 'dnn' value that will trigger a 404 Not Found response from the downstream OpenAPI call. The PCF will log the OpenAPI error and then panic due to the nil pointer dereference, causing the process to crash.

Remediation

Users are advised to update to Free5GC PCF version 1.4.2 or later, where this vulnerability has been fixed.