Free5GC UDR Service Information Disclosure Vulnerability via Traffic Influence Subscription Endpoint

A vulnerability allowing information disclosure has been identified in the Free5GC Unified Data Repository (UDR) service, affecting versions through 4.2.1. The issue arises in the endpoint GET /nudr-dr/v2/application-data/influenceData/subs-to-notify, which is part of the 5G Service Based Interface. The endpoint fails to properly validate query parameters, allowing an unauthenticated attacker with network access to retrieve sensitive subscriber identifiers, specifically SUPI and IMSI values, with a simple parameterless HTTP GET request. This vulnerability undermines the privacy protections of the 3GPP SUCI concealment mechanism, exposing the most critical subscriber identifier in 5G networks.

Impact

Exploitation of this vulnerability allows for unauthorized access to SUPI and IMSI values of subscribers, violating privacy guarantees established by 3GPP.

Reproduction

The vulnerability can be reproduced by sending a parameterless HTTP GET request to the endpoint '/nudr-dr/v2/application-data/influenceData/subs-to-notify'. The response will include a 400 Bad Request status, but the body will contain the full list of Traffic Influence Subscriptions, including sensitive SUPI/IMSI values.

Remediation

Users can update to Free5GC version 4.2.2 or later, where this vulnerability has been patched by adding the necessary return statements to prevent the unintentional leakage of subscriber data.