free5GC SMF Unauthenticated Panic-DoS Vulnerability via UPI Management Route

A denial-of-service vulnerability has been identified in free5GC's SMF component, specifically in versions prior to 4.2.2. The issue arises because the SMF mounts the UPI management route group without proper authentication middleware, leaving it exposed to unauthenticated requests. The vulnerability is triggered by the DELETE /upi/v1/upNodesLinks/{upNodeRef} endpoint, which improperly handles AN-typed nodes by dereferencing a nil UPF object, leading to a runtime panic. This flaw not only causes a crash but also disrupts the in-memory user-plane topology, creating a state-mutating denial-of-service condition that can be exploited by an off-path network attacker against any AN entry.

Impact

Exploitation of this vulnerability causes a nil pointer dereference panic, disrupting the SMF's user-plane topology management. The panic is recoverable, but the preceding topology mutation remains, causing persistent issues in UPF selection and session management.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated DELETE request to the UPI management endpoint for an AN node, such as 'gNB1'. This request will result in a 500 Internal Server Error due to a nil pointer dereference, while also deleting the node from the in-memory topology.

Remediation

Users can update to free5GC version 4.2.2, where this vulnerability has been fixed.