Free5GC UDM Improper Error Handling Vulnerability in Subscriber Data Management API

A vulnerability exists in the Free5GC UDM component, specifically within the Nudm_SubscriberDataManagement API, in versions prior to 1.4.2. The issue arises when DELETE requests are sent to the sdm-subscriptions endpoint with an empty supi path parameter, such as double slashes in the URL. In this scenario, the UDM incorrectly translates a 400 Bad Request response from the UDR into a 500 Internal Server Error, labeled as SYSTEM_FAILURE. This mismanagement of error responses obscures the distinction between client-side and server-side errors, violating REST API best practices for DELETE operations.

Impact

This vulnerability leads to improper error handling, causing the UDM to misrepresent the nature of the error encountered. Instead of accurately conveying a client-side issue, it erroneously indicates a server-side failure, which could confuse clients interacting with the API.

Reproduction

To reproduce this vulnerability, send a DELETE request to the sdm-subscriptions endpoint with an empty supi path parameter, such as by including double slashes in the URL. The UDM will forward this request to the UDR, which will respond with a 400 Bad Request. However, the UDM will incorrectly propagate this as a 500 Internal Server Error, demonstrating the error handling flaw.

Remediation

Users should upgrade to Free5GC version 1.4.2 or later, where this vulnerability has been patched. The fix involves adding validation to ensure that the supi path parameter is not empty before forwarding DELETE requests to the UDR.