free5gc UDM Improper Input Validation Vulnerability in Nudm_UEAU Service Allowing Control Character Injection

A vulnerability exists in the free5gc Unified Data Management (UDM) component, specifically in versions through 1.4.1, within the Nudm_UEAU service. The issue allows remote attackers to inject control characters, such as null bytes, into the supi parameter. This injection causes internal URL parsing errors, which in turn expose system-level error details that could be used for service fingerprinting. The vulnerability arises from inadequate input validation of the supi parameter, leading the server to process invalid control characters and return a 500 Internal Server Error instead of a proper client-side error.

Impact

Exploitation of this vulnerability could lead to improper input validation, allowing for the injection of control characters that disrupt normal URL processing. This not only exposes sensitive system error details to remote clients but could also facilitate service fingerprinting, potentially allowing attackers to gather information about the server's configuration or behavior.

Reproduction

To reproduce this vulnerability, send a POST request to the Nudm_UEAU API with an invalid control character, such as a null byte, in the supi parameter. Ensure that the free5GC UDM component is running and that OAuth is disabled for testing convenience. The server will respond with a 500 Internal Server Error, indicating that it has failed to properly handle the invalid input.

Remediation

Users are advised to upgrade to free5GC version 1.4.2 or later, where this vulnerability has been fixed. The official patch is available in the free5gc/udm repository, merged into the main branch.