free5GC UDR CORS Misconfiguration Vulnerability in PCF Leading to Memory Leak and Denial-of-Service

A memory leak vulnerability has been identified in free5GC UDR's Policy Control Function (PCF) component, specifically in versions prior to 1.4.3. This vulnerability allows any unauthenticated attacker with network access to the PCF Service-Based Interface (SBI) to cause uncontrolled memory growth by sending repeated HTTP requests to the Operations, Administration, and Maintenance (OAM) endpoint. The issue arises from a CORS middleware being registered on every incoming request, which permanently expands the Gin router's handler chain. As a result, the application experiences progressive memory exhaustion, leading to a denial-of-service condition where all User Equipment (UE) are unable to access Access and Mobility (AM) and Session Management (SM) policies, thereby obstructing 5G session establishment.

Impact

Exploitation of this vulnerability causes uncontrolled memory consumption, leading to a denial-of-service condition where the PCF becomes unresponsive. This disruption prevents UEs from receiving essential AM and SM policies, causing failures in new session establishments and policy updates for existing sessions. In a production environment, this would result in a complete loss of 5G service for all subscribers served by the affected PCF instance.

Reproduction

The vulnerability can be reproduced by sending a high volume of HTTP requests to the PCF OAM endpoint. This can be done from any container on the same Docker network as the PCF, without the need for authentication. The memory usage of the PCF can be monitored using Docker's stats command, which will show a significant increase in memory consumption that does not return to baseline levels, eventually leading to an out-of-memory condition where the PCF process is killed.

Remediation

Users can upgrade to free5GC version 1.4.3 or later, where this vulnerability has been patched.