{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/free5gc-smf/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["free5GC SMF"],"_cs_severities":["high"],"_cs_tags":["free5GC","dos","vulnerability"],"_cs_type":"advisory","_cs_vendors":["free5GC"],"content_html":"\u003cp\u003efree5GC\u0026rsquo;s SMF (Session Management Function) contains a vulnerability where the \u003ccode\u003eUPI\u003c/code\u003e (User Plane Interface) management route group lacks proper authentication, exposing it to unauthenticated attacks. Specifically, the \u003ccode\u003eDELETE /upi/v1/upNodesLinks/{upNodeRef}\u003c/code\u003e handler attempts to dereference a potentially nil \u003ccode\u003eUPF\u003c/code\u003e (User Plane Function) pointer, leading to a nil-pointer dereference and panic. This occurs because \u003ccode\u003eAN\u003c/code\u003e-typed (Access Node) nodes are constructed without a \u003ccode\u003eUPF\u003c/code\u003e object. An attacker can exploit this by sending an unauthenticated DELETE request, such as \u003ccode\u003eDELETE /upi/v1/upNodesLinks/gNB1\u003c/code\u003e, crashing the handler and, critically, mutating the in-memory user-plane topology before the panic occurs. This allows an off-path network attacker to trigger a state-mutating panic-DoS against any AN entry by name. This vulnerability affects free5GC version 4.2.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable free5GC SMF instance with the exposed UPI endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a DELETE request targeting the \u003ccode\u003e/upi/v1/upNodesLinks/{upNodeRef}\u003c/code\u003e endpoint, specifying an AN node name (e.g., \u003ccode\u003egNB1\u003c/code\u003e) without any authentication credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the unauthenticated DELETE request to the SMF instance.\u003c/li\u003e\n\u003cli\u003eThe SMF receives the request and proceeds to process it within the \u003ccode\u003eDeleteUpNodeLink\u003c/code\u003e handler.\u003c/li\u003e\n\u003cli\u003eThe handler identifies the target node as an AN type and executes \u003ccode\u003eUpNodeDelete(upNodeRef)\u003c/code\u003e, which mutates the in-memory user-plane topology, deleting the specified AN entry.\u003c/li\u003e\n\u003cli\u003eThe handler then attempts to dereference the \u003ccode\u003eUPF\u003c/code\u003e field of the AN node, which is nil for AN nodes by design.\u003c/li\u003e\n\u003cli\u003eThis dereference results in a nil-pointer dereference, causing a panic in the SMF process.\u003c/li\u003e\n\u003cli\u003eThe SMF returns a 500 Internal Server Error, but the topology has already been mutated, denying SMF\u0026rsquo;s ability to consider that AN in subsequent UPF selection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows an unauthenticated attacker to perform a denial-of-service attack against the free5GC SMF. By sending a single, unauthenticated DELETE request, an attacker can delete arbitrary named entries from SMF\u0026rsquo;s in-memory user-plane topology and trigger a panic. This impacts SMF\u0026rsquo;s ability to select UPFs and establish PFCP paths for legitimate UE sessions. The attacker can repeat this process against any AN entry, sustaining the topology denial without needing to authenticate. This can lead to service disruption and impact the availability of the 5G network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the upstream fix available at \u003ca href=\"https://github.com/free5gc/smf/pull/199\"\u003ehttps://github.com/free5gc/smf/pull/199\u003c/a\u003e to patch the nil-pointer dereference in the \u003ccode\u003eDeleteUpNodeLink\u003c/code\u003e handler.\u003c/li\u003e\n\u003cli\u003eImplement authentication and authorization middleware on the \u003ccode\u003eUPI\u003c/code\u003e route group to prevent unauthenticated access, as demonstrated in the \u003ccode\u003ensmf-oam\u003c/code\u003e route group; monitor webserver logs for \u003ccode\u003eDELETE\u003c/code\u003e requests to the \u003ccode\u003e/upi/v1/upNodesLinks/\u003c/code\u003e endpoint without valid authentication headers.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Unauthenticated SMF UPI DELETE Request\u003c/code\u003e to identify unauthenticated DELETE requests to the vulnerable endpoint, monitoring webserver logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-free5gc-smf-dos/","summary":"free5GC's SMF is vulnerable to an unauthenticated denial-of-service attack where a crafted DELETE request to the /upi/v1/upNodesLinks/{ref} endpoint triggers a nil-pointer dereference, causing a panic and mutating the in-memory user-plane topology, impacting the selection of UPFs for legitimate UE sessions.","title":"free5GC SMF Unauthenticated State-Mutating Panic-DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-free5gc-smf-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Free5GC SMF","version":"https://jsonfeed.org/version/1.1"}