{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pcf/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PCF"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["free5GC"],"content_html":"\u003cp\u003eA nil-pointer dereference vulnerability has been identified in free5GC's Policy Control Function (PCF) when processing POST requests to the \u003ccode\u003e/npcf-smpolicycontrol/v1/sm-policies\u003c/code\u003e endpoint. This occurs when a downstream User Data Repository (UDR) lookup fails and returns a 404 error. Instead of properly handling the error, the PCF handler continues execution, leading to a nil response struct being dereferenced, which results in a panic. The Gin framework's recovery mechanism converts the panic into an HTTP 500 error. This vulnerability can be triggered by sending a single POST request with crafted input, such as an unknown DNN, that causes the downstream UDR lookup to fail. The issue has been validated against free5GC version v4.1.0 and confirmed to be present in v4.2.1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an HTTP POST request to \u003ccode\u003e/npcf-smpolicycontrol/v1/sm-policies\u003c/code\u003e on the PCF endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a JSON payload with parameters such as \u003ccode\u003esupi\u003c/code\u003e, \u003ccode\u003epduSessionId\u003c/code\u003e, \u003ccode\u003ednn\u003c/code\u003e, \u003ccode\u003esliceInfo\u003c/code\u003e, \u003ccode\u003eservingNetwork\u003c/code\u003e, \u003ccode\u003eaccessType\u003c/code\u003e, and \u003ccode\u003enotificationUri\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ednn\u003c/code\u003e parameter in the JSON payload is set to a value that is unknown to the UDR (e.g., \u0026quot;internet-bad\u0026quot;).\u003c/li\u003e\n\u003cli\u003eThe PCF attempts to perform a UDR lookup based on the provided \u003ccode\u003ednn\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe UDR lookup fails, returning a 404 Not Found error to the PCF.\u003c/li\u003e\n\u003cli\u003eThe PCF handler logs the OpenAPI error but does not properly handle the error condition by returning.\u003c/li\u003e\n\u003cli\u003eThe handler attempts to dereference a nil response struct, resulting in a nil pointer dereference and a panic.\u003c/li\u003e\n\u003cli\u003eThe Gin recovery middleware catches the panic and returns an HTTP 500 Internal Server Error to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability results in a denial-of-service condition where any POST request that leads to a 404 error from the UDR lookup will trigger a panic in the PCF, resulting in an HTTP 500 error for the specific request. The PCF process itself remains running due to the Gin recovery middleware, but the endpoint becomes temporarily unavailable for the attacker's specific request. The vulnerability affects free5GC v4.1.0 and v4.2.1. An unauthenticated attacker can exploit the issue due to a separate authorization gap in the PCF route group.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from the upstream fix (\u003ca href=\"https://github.com/free5gc/pcf/pull/62\"\u003ehttps://github.com/free5gc/pcf/pull/62\u003c/a\u003e) to resolve the nil pointer dereference vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026quot;Detect free5GC PCF HTTP 500 Errors\u0026quot; to monitor for HTTP 500 responses from the PCF endpoint, which may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor PCF container logs for the error message \u003ccode\u003epanic: runtime error: invalid memory address or nil pointer dereference\u003c/code\u003e to identify instances where the vulnerability has been triggered.\u003c/li\u003e\n\u003cli\u003eAddress the authorization gap in the PCF \u003ccode\u003eNpcf_SMPolicyControl\u003c/code\u003e route group as described in free5gc/free5gc#844 to prevent unauthenticated exploitation of the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T18:15:00Z","date_published":"2024-01-29T18:15:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-free5gc-pcf-panic/","summary":"A nil-pointer dereference vulnerability exists in free5GC's PCF when handling POST requests to `/npcf-smpolicycontrol/v1/sm-policies`. When a downstream UDR lookup returns a 404 error, the handler continues execution instead of returning, leading to a nil response struct dereference and a panic. This results in an HTTP 500 error for the request, but the PCF process continues running. The vulnerability is triggered by sending a POST request with input that causes the downstream UDR lookup to fail, such as an unknown DNN. This issue affects free5GC versions v4.1.0 and v4.2.1.","title":"free5GC PCF Nil Pointer Dereference Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-29-free5gc-pcf-panic/"}],"language":"en","title":"CraftedSignal Threat Feed - PCF","version":"https://jsonfeed.org/version/1.1"}