Free5GC Denial-of-Service Vulnerability in NGSetupRequest Handler

A denial-of-service vulnerability has been identified in Free5GC version 4.2.0, specifically within the NGSetupRequest Handler component. The issue arises when the Criticality field in the NGSetupRequest is set to 'Ignore' for the UERetentionInformation, leading to the generation of two responses—one successful and one failed. This behavior can cause a desynchronization of client state, creating ambiguity about which response should be acknowledged. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by desynchronizing client state, leaving it unclear which response to consider after the NGSetupRequest is processed.

Reproduction

To reproduce this vulnerability, send an NGSetupRequest with the Criticality set to 'Ignore' for the UERetentionInformation. This will trigger the improper handling of the Criticality, resulting in two responses being sent—one indicating success and the other failure. The generated log files will show the response sequence, highlighting the desynchronization issue.

Remediation

A patch for this vulnerability is being developed and can be tracked in the Free5GC AMF repository, where the issue has been acknowledged and addressed.