free5GC UDR Service Policy Data Subscription Update Fail-Open Vulnerability

A fail-open vulnerability has been identified in the free5GC UDR service, specifically in versions through 4.2.1. The issue arises in the PUT handler for updating Policy Data notification subscriptions, located at /nudr-dr/v2/policy-data/subs-to-notify/{subsId}. When the handler encounters errors during request body retrieval or deserialization, it fails to terminate the execution properly. Although it sends HTTP 500 or 400 error responses, the processing continues, potentially allowing unintended modifications to existing Policy Data notification subscriptions with invalid or empty input. This behavior depends on how downstream processors and storage systems handle such inputs.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of Policy Data notification subscriptions, allowing invalid or empty inputs to be processed and stored. The extent of the impact may vary based on the specific behaviors of downstream processing and storage validation.

Remediation

The vulnerability can be addressed by modifying the PUT handler to immediately return after sending an error response for body read or deserialization failures. This includes adding missing return statements and ensuring that a pointer to the destination object is passed during deserialization.