free5GC AMF Missing Default Case in Content-Type Switch Leading to Uninitialized Request Objects

A vulnerability exists in free5GC AMF versions prior to 1.4.3 within the 'HTTPUEContextTransfer' handler. The issue arises because the 'Content-Type' switch statement lacks a 'default' case. As a result, when a request is received with an unsupported 'Content-Type', the deserialization process is silently bypassed, leaving the 'err' variable unchanged. Consequently, the processor is called with a completely uninitialized 'UeContextTransferRequest' object. This vulnerability could disrupt the expected handling of UE context transfer requests, particularly during AMF-to-AMF UE context handovers, by introducing a reliance on the processor's validation logic, which could be inadvertently altered in the future.

Impact

Exploitation of this vulnerability could lead to the processing of empty request objects, bypassing essential input validations and increasing the risk of unintended state modifications.

Reproduction

To reproduce this vulnerability, deploy free5GC AMF and send a POST request to the UE context transfer endpoint with an unsupported 'Content-Type', such as 'text/plain'. The request will be processed with an uninitialized 'UeContextTransferRequest' object, bypassing the necessary error checks and validation.

Remediation

Users can upgrade to free5GC AMF version 1.4.3, which addresses this vulnerability by adding the missing 'default' case in the 'Content-Type' switch statement.