free5GC UDR Nil-Pointer Dereference Vulnerability in EE-Subscription AMF-Subscriptions Deletion

A nil-pointer dereference vulnerability has been identified in the free5GC UDR component, specifically in versions through v4.2.1. The issue arises in the 'nudr-dr' DELETE '/subscription-data/{ueId}/{servingPlmnId}/ee-subscriptions/{subsId}/amf-subscriptions' handler. This vulnerability is triggered by an authenticated request that deletes AMF subscriptions for a non-existent 'subsId', after a previous authenticated request has created an EE subscription for the same 'ueId'. The handler improperly handles the missing 'subsId' by attempting to dereference a nil entry, leading to a runtime panic. Although the Gin framework converts this panic into a 500 Internal Server Error response, the endpoint can be repeatedly exploited, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a runtime panic due to a nil-pointer dereference, which is logged and can be observed as a 500 Internal Server Error response. This creates a per-request denial-of-service condition on the UDR component, as each exploitation costs more CPU and log writing resources than the normal response would.

Reproduction

To reproduce this vulnerability, restart the UDR service to clear its state. Then, obtain a valid 'nudr-dr' OAuth2 token and use it to create an EE subscription for a specific 'ueId'. After this subscription is created, send a DELETE request to the 'amf-subscriptions' endpoint, using a non-existent 'subsId'. This request will trigger the nil-pointer dereference, causing a panic that can be confirmed by checking the UDR logs.

Remediation

Users can upgrade to free5GC version 4.2.2, where this vulnerability has been fixed.