free5GC UDR NEF Component Improper Error Handling Vulnerability Allowing Service Fingerprinting

An improper error handling vulnerability has been identified in the free5GC User Data Repository (UDR) component, specifically within the NEF (Network Exposure Function) service. This vulnerability is present in free5GC versions through 1.4.1. When the Nnef_PfdManagement service is used and a requested application PFD (Policy Framework Data) is not found, the NEF component incorrectly returns a 500 Internal Server Error. This response includes internal parsing error details, such as 'invalid character 'n' after top-level value', which can assist attackers in service fingerprinting. The issue arises because NEF fails to properly handle non-existent app IDs, instead of mapping the error to a suitable 4xx client error, such as 404 Not Found.

Impact

Exploitation of this vulnerability leads to the NEF component leaking internal JSON parsing error details to remote clients, which can aid in service fingerprinting. Additionally, the incorrect HTTP status code misrepresentation blurs security-relevant error boundaries and hinders troubleshooting.

Reproduction

To reproduce this vulnerability, send a GET request to the Nnef_PfdManagement API for an application PFD that does not exist. The NEF component will respond with a 500 Internal Server Error, including a JSON parsing error message. This behavior can be verified by checking the response headers and body for the error details.

Remediation

The vulnerability has been patched in free5GC UDR version 1.4.1. Users should upgrade to this version. The patch is also available in the free5GC UDR GitHub repository, in pull request #56.