free5GC UDR Service Improper Path Validation Vulnerability Allows Unauthenticated Access to Traffic Influence Subscriptions

A vulnerability exists in the free5GC UDR service in versions through 4.2.1, where improper path validation allows unauthenticated access to Traffic Influence Subscriptions. The issue arises because the handler for reading subscriptions does not correctly validate the influenceId path segment. Instead of rejecting invalid values, the handler continues execution after sending a 404 response, inadvertently disclosing subscription data. This vulnerability can be exploited by sending a request with any influenceId value, while a valid subscriptionId is required to retrieve the subscription data. The exposed information may include sensitive details such as SUPIs/IMSIs, DNNs, S-NSSAIs, and callback URIs.

Impact

Exploitation of this vulnerability leads to unauthorized information disclosure, allowing attackers to access sensitive subscriber-related data through the 5G Service Based Interface.

Reproduction

To reproduce this vulnerability, first create a Traffic Influence Subscription to obtain a valid subscriptionId. Then, send a GET request to the influenceData endpoint with an invalid influenceId, such as 'WRONGID', while including the valid subscriptionId. The response will indicate a 404 error, but the subscription data will still be included in the response body, demonstrating the improper path validation.

Remediation

Users can update to the patched version of free5GC where this vulnerability has been addressed by adding the missing return statement in the UDR service's API data repository handling function.