{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nef/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nef","free5gc"],"_cs_severities":["high"],"_cs_tags":["dos","vulnerability","free5gc"],"_cs_type":"advisory","_cs_vendors":["free5gc"],"content_html":"\u003cp\u003efree5GC\u0026rsquo;s Network Exposure Function (NEF) is susceptible to a denial-of-service vulnerability. An attacker with the ability to create a PFD subscription can specify an arbitrary \u003ccode\u003enotifyUri\u003c/code\u003e. When a PFD change event occurs, the NEF attempts to send an HTTP POST request to the configured \u003ccode\u003enotifyUri\u003c/code\u003e. If this notification delivery fails (e.g., due to connection refused, DNS resolution failure, or timeout), the NEF process terminates due to an unhandled error condition. This behavior, present in version 4.2.1, allows an unauthenticated attacker to remotely trigger a complete NEF service outage. The vulnerability is triggered by posting to \u003ccode\u003e/3gpp-traffic-influence/v1/afdos/subscriptions\u003c/code\u003e, \u003ccode\u003e/nnef-pfdmanagement/v1/subscriptions\u003c/code\u003e, and \u003ccode\u003e/3gpp-pfd-management/v1/afdos/transactions\u003c/code\u003e, reachable without authentication due to misconfiguration of SBI route groups.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to \u003ccode\u003e/3gpp-traffic-influence/v1/afdos/subscriptions\u003c/code\u003e to create an AF context with \u003ccode\u003eafAppId\u003c/code\u003e set to \u0026ldquo;app-nef-dos\u0026rdquo; and \u003ccode\u003eanyUeInd\u003c/code\u003e to true.\u003c/li\u003e\n\u003cli\u003eThe NEF creates a new AF context subscription and returns a \u003ccode\u003e201 Created\u003c/code\u003e response with the \u003ccode\u003eLocation\u003c/code\u003e header indicating the new subscription URI.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to \u003ccode\u003e/nnef-pfdmanagement/v1/subscriptions\u003c/code\u003e to create a PFD subscription, including a malicious \u003ccode\u003enotifyUri\u003c/code\u003e such as \u003ccode\u003ehttp://127.0.0.1:1/notify\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe NEF stores the PFD subscription with the attacker-controlled \u003ccode\u003enotifyUri\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to \u003ccode\u003e/3gpp-pfd-management/v1/afdos/transactions\u003c/code\u003e to trigger a PFD change.\u003c/li\u003e\n\u003cli\u003eThe NEF processes the PFD change request and returns a \u003ccode\u003e201 Created\u003c/code\u003e response.\u003c/li\u003e\n\u003cli\u003eThe NEF attempts to deliver an asynchronous notification to the attacker-specified \u003ccode\u003enotifyUri\u003c/code\u003e via an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eBecause the \u003ccode\u003enotifyUri\u003c/code\u003e is unreachable (e.g., port 1 is closed), the outbound HTTP POST fails, triggering the \u003ccode\u003elogger.Fatal(err)\u003c/code\u003e call and terminating the NEF process with exit code 1.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability leads to a complete denial-of-service condition for the free5GC NEF. Successful exploitation results in the NEF process terminating abruptly, causing loss of service and requiring a restart. Since the trigger chain is unauthenticated in v4.2.1, any attacker capable of reaching the NEF\u0026rsquo;s SBI interface can remotely trigger the process termination. This can be repeated to sustain the outage indefinitely, severely impacting the availability of the 5G network services reliant on the NEF. The vulnerability affects free5GC v4.2.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the upstream fix available at \u003ca href=\"https://github.com/free5gc/nef/pull/25\"\u003ehttps://github.com/free5gc/nef/pull/25\u003c/a\u003e to prevent the \u003ccode\u003elogger.Fatal\u003c/code\u003e call on notification delivery failure.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect NEF PFD Subscription with Unreachable notifyUri\u0026rdquo; to detect attempts to create subscriptions with suspicious callback URLs.\u003c/li\u003e\n\u003cli\u003eMonitor NEF container logs for \u003ccode\u003e[FATA][NEF][PFDMng]\u003c/code\u003e messages, which indicate that the NEF process has terminated due to the vulnerability, as shown in the container log example.\u003c/li\u003e\n\u003cli\u003eReview and harden the authentication configuration for NEF SBI route groups to prevent unauthenticated access, as discussed in \u003ca href=\"https://github.com/free5gc/free5gc/issues/858\"\u003efree5gc/free5gc#858\u003c/a\u003e, \u003ca href=\"https://github.com/free5gc/free5gc/issues/859\"\u003efree5gc/free5gc#859\u003c/a\u003e, and \u003ca href=\"https://github.com/free5gc/free5gc/issues/862\"\u003efree5gc/free5gc#862\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAudit all code paths that use \u003ccode\u003elogger.Fatal\u003c/code\u003e and replace them with recoverable error handling.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:30:00Z","date_published":"2024-01-02T18:30:00Z","id":"/briefs/2024-01-02-free5gc-nef-dos/","summary":"free5GC's NEF component is vulnerable to a denial-of-service attack where an attacker can create a PFD subscription with an attacker-controlled `notifyUri`, and when a PFD change is triggered, NEF attempts to deliver a notification to the specified URI, and if the URI is unreachable, NEF terminates the entire process, causing a service outage, and this can be triggered without authentication in version 4.2.1, making it easily exploitable.","title":"free5GC NEF Denial-of-Service via Unreachable notifyUri","url":"https://feed.craftedsignal.io/briefs/2024-01-02-free5gc-nef-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Nef","version":"https://jsonfeed.org/version/1.1"}