Free5GC UDM Nil Pointer Dereference Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Free5GC versions prior to 1.4.2. The issue arises in the UDM service's DataChangeNotificationProcedure, where a nil pointer dereference occurs. This vulnerability can be exploited by sending a crafted POST request to the /sdm-subscriptions endpoint, using a malformed URL path that includes path traversal sequences and a large JSON payload. The lack of proper validation allows the request to cause a runtime error, leading to a complete service crash. Recovery requires a manual restart of the UDM service.

Impact

Exploitation of this vulnerability causes the UDM service to panic and crash, disrupting all UDM functionality until the service is manually restarted.

Reproduction

To reproduce this vulnerability, send a POST request to the /sdm-subscriptions endpoint with a malformed URL path that includes path traversal sequences, such as '../', and a large JSON payload. This can be done using a tool like curl. The UDM service will crash, displaying a runtime error indicating an invalid memory address or nil pointer dereference.

Remediation

Users should upgrade to Free5GC version 1.4.2 or later, where this vulnerability has been fixed.