{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/5g/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pcf (\u003c 1.4.3)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","5g","pcf"],"_cs_type":"advisory","_cs_vendors":["free5gc"],"content_html":"\u003cp\u003eFree5GC PCF (Policy Control Function) versions prior to 1.4.3 contain an authentication bypass vulnerability (CVE-2026-42083) in the Npcf_SMPolicyControl service. The vulnerability stems from the absence of router authorization middleware for the \u003ccode\u003esmPolicyGroup\u003c/code\u003e route, allowing unauthenticated requests to reach sensitive SM policy handlers. An attacker able to reach the PCF SBI interface can directly invoke these handlers, potentially gaining access to subscriber identifiers including SUPI (Subscriber Permanent Identifier) and other policy context data. This issue was resolved in free5gc/pcf PR #63 by adding \u003ccode\u003eRouterAuthorizationCheck\u003c/code\u003e to \u003ccode\u003esmPolicyGroup\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Free5GC PCF instance running a version prior to 1.4.3.\u003c/li\u003e\n\u003cli\u003eThe attacker gains network access to the PCF SBI (Service Based Interface).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP POST request to \u003ccode\u003e/npcf-smpolicycontrol/v1/sm-policies\u003c/code\u003e to create a new SM policy.\u003c/li\u003e\n\u003cli\u003eThe PCF, lacking proper authentication, processes the request without verifying the attacker\u0026rsquo;s identity.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated HTTP GET request to \u003ccode\u003e/npcf-smpolicycontrol/v1/sm-policies/{smPolicyId}\u003c/code\u003e to retrieve the newly created policy.\u003c/li\u003e\n\u003cli\u003eThe PCF returns the policy context, which may contain sensitive subscriber identifiers such as \u003ccode\u003esupi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits this vulnerability to gain unauthorized access to subscriber information and manipulate SM policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis authentication bypass vulnerability allows unauthorized access to subscriber data and policy control functions within the 5G core network. If exploited, an attacker could potentially gain access to sensitive subscriber information, disrupt network services, or manipulate policy settings. Successful exploitation allows unauthorized actors to invoke Npcf_SMPolicyControl handlers directly.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Free5GC PCF to version 1.4.3 or later to patch CVE-2026-42083.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Unauthenticated PCF SM Policy Access\u003c/code\u003e to identify unauthenticated requests to the vulnerable endpoints.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to the PCF SBI interface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-free5gc-auth-bypass/","summary":"Free5GC PCF versions prior to 1.4.3 are vulnerable to an authentication bypass due to missing middleware, allowing unauthenticated access to SM policy handlers and disclosure of subscriber SUPI.","title":"Free5GC PCF Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-free5gc-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — 5g","version":"https://jsonfeed.org/version/1.1"}