free5GC UDR Service Improper Path Validation Vulnerability Allows Unauthenticated Deletion of Traffic Influence Subscriptions

A vulnerability exists in the free5GC UDR service in versions through 4.2.1, allowing unauthenticated deletion of Traffic Influence Subscriptions. The issue arises from improper path validation in the subscription deletion handler, which fails to correctly enforce the expected path segment. Instead of terminating the request after sending a 404 Not Found response for invalid path segments, the handler continues execution and deletes the subscription. This flaw can be exploited by sending a DELETE request with an arbitrary influenceId, while the API misleadingly indicates that the resource was not found. The vulnerability is present in any free5GC instance where the 5G Service Based Interface is accessible to untrusted parties, such as through misconfigured network segmentation or a compromised internal host.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of Traffic Influence Subscriptions, disrupting policy-related notification workflows and removing active subscription states from the UDR. The deletion can be harder to detect due to the misleading 404 Not Found response, which does not reflect the actual outcome of the request.

Reproduction

To reproduce this vulnerability, first create a Traffic Influence Subscription by sending a POST request to the '/nudr-dr/v2/application-data/influenceData/subs-to-notify' endpoint with the required subscription details. Once a subscription is created, delete it by sending a DELETE request to the same endpoint, but replace 'subs-to-notify' with an arbitrary value. The response will indicate a 404 Not Found error, but the subscription will still be deleted. This can be verified by attempting to retrieve the subscription, which will result in a 'USER_NOT_FOUND' error, confirming its deletion.

Remediation

The vulnerability has been patched in free5GC version 4.2.2 by adding the missing return statement in the subscription deletion handler, ensuring that invalid path segments are properly rejected before any deletion occurs.