Free5GC Type Confusion Vulnerability in APER Component

A type confusion vulnerability has been identified in Free5GC version 4.2.0, specifically within an unknown function of the APER component. This vulnerability allows for remote exploitation, although it is characterized by high complexity and difficulty. The issue arises because Free5GC accepts non-printable strings in fields that are defined as requiring printable strings, such as the RANNodeName in the NGSetupRequest. This discrepancy could lead to crashes or bugs when the improperly formatted data is processed later.

Impact

Exploitation of this vulnerability could cause type confusion, leading to potential crashes or unexpected behavior in the application.

Reproduction

To reproduce this vulnerability, send an NGAPSetupRequest with a RANNodeName field containing non-printable characters, such as the byte sequence representing characters 1 through 5. The Free5GC application will accept this invalid input, even though it violates the specification requiring a printable string.

Remediation

Users are advised to update to the patched version of Free5GC, which is available on the Free5GC GitHub repository.