free5GC CHF Out-of-Bounds Slice Access Vulnerability in Converged Charging Service Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in the free5GC Converged Charging Function (CHF) version 1.4.2 and prior. The issue arises in the 'nchf-convergedcharging' service, where a valid authenticated request to the 'PUT /nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...' endpoint can cause a server-side panic due to out-of-bounds slice access. This vulnerability can be exploited repeatedly, degrading the recharge functionality and flooding logs. In environments without proper panic recovery, it may lead to more severe service disruptions.

Impact

Exploitation of this vulnerability causes a server-side panic, which can be converted into an HTTP 500 response. However, the endpoint remains vulnerable to repeated abuse, which can disrupt normal operations and degrade functionality. In environments without equivalent recovery handling, this panic may cause more severe service disruption.

Reproduction

The vulnerability can be reproduced by sending a valid authenticated 'PUT' request to the '/nchf-convergedcharging/v3/recharging/:ueId' endpoint, including a 'ratingGroup' query parameter. This request will trigger a panic in the server, causing a denial-of-service condition on the recharge path.

Remediation

Users can upgrade to free5GC CHF version 1.4.2 or later, where this vulnerability has been fixed. Alternatively, the issue can be addressed by restricting access to the 'nchf-convergedcharging' recharge endpoint to trusted NF callers, applying rate limiting or network ACLs to reduce repeated exploitation attempts, temporarily disabling the recharge API if not needed, and ensuring proper panic recovery, monitoring, and alerting are in place.