{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/nef/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nef:v4.2.1","go/github.com/free5gc/nef (\u003c= 1.2.3)"],"_cs_severities":["high"],"_cs_tags":["5G","NEF","Authentication Bypass","CWE-306","CWE-862"],"_cs_type":"advisory","_cs_vendors":["free5GC"],"content_html":"\u003cp\u003eThe free5GC NEF (Network Exposure Function) version 4.2.1 contains a critical vulnerability stemming from the lack of inbound authentication on the \u003ccode\u003ennef-callback\u003c/code\u003e route group. This oversight allows an attacker to send forged SMF (Service Management Function) callback requests to the NEF without proper authorization. The vulnerability lies in the fact that the API layer processes the request body and deserializes it before any authentication check is performed. This can lead to corruption of AF (Application Function) traffic-influence or PFD (Packet Flow Description) management subscription views and influence downstream SMF/UPF (User Plane Function) policy decisions. The \u003ccode\u003ennef-callback\u003c/code\u003e route group remains reachable even when the runtime \u003ccode\u003eServiceList\u003c/code\u003e does not declare it, undermining intended service disabling mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a reachable NEF instance running free5GC v4.2.1.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SMF callback request targeting the \u003ccode\u003e/nnef-callback/v1/notification/smf\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eAuthorization\u003c/code\u003e header with a forged or arbitrary bearer token (e.g., \u003ccode\u003eAuthorization: Bearer not-a-real-token\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe NEF server receives the request and, due to the missing authentication middleware, parses the request body without validating the token.\u003c/li\u003e\n\u003cli\u003eThe callback handler within the NEF processes the request and attempts to look up subscription state using the provided \u003ccode\u003eNotifId\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the \u003ccode\u003eNotifId\u003c/code\u003e is valid, the attacker can manipulate subscription data, leading to traffic-influence or PFD-management corruption.\u003c/li\u003e\n\u003cli\u003eThe corrupted subscription data influences downstream SMF/UPF policy decisions, potentially diverting traffic or modifying service quality.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized control over network traffic and subscriber experience.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe lack of authentication on the \u003ccode\u003ennef-callback\u003c/code\u003e route group allows any party that can reach the NEF on the SBI (Service Based Interface) to submit forged SMF callbacks anonymously. An attacker who can guess or obtain a valid \u003ccode\u003eNotifId\u003c/code\u003e can deliver forged event notifications against real subscription state, corrupting AF traffic-influence and PFD-management subscription views, and subsequently influencing downstream SMF/UPF policy decisions. The vulnerability can lead to unauthorized traffic diversion, service disruption, or modification of service quality for subscribers. The affected version is free5GC v4.2.1, potentially impacting deployments of this version in various telecommunications networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Unauthenticated NEF Callback Request\u003c/code\u003e to identify attempts to exploit the vulnerability by detecting requests to the \u003ccode\u003e/nnef-callback/v1/notification/smf\u003c/code\u003e endpoint with invalid or suspicious authorization headers (see rule below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unauthorized POST requests to the \u003ccode\u003e/nnef-callback/v1/notification/smf\u003c/code\u003e endpoint, referencing the IP address \u003ccode\u003e10.100.200.19\u003c/code\u003e from the provided PoC.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of free5GC NEF that addresses the authentication vulnerability (see upstream fix at \u003ca href=\"https://github.com/free5gc/nef/pull/24)\"\u003ehttps://github.com/free5gc/nef/pull/24)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eApply input validation and authorization checks on all SBI endpoints, especially callback handlers, to prevent unauthorized access and data manipulation.\u003c/li\u003e\n\u003cli\u003eReview and harden the NEF configuration to ensure that only authorized services and endpoints are exposed, mitigating the risk of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:30:00Z","date_published":"2024-01-02T18:30:00Z","id":"/briefs/2024-01-02-free5gc-nef-auth-bypass/","summary":"free5GC NEF v4.2.1 exposes an unauthenticated callback route group, enabling attackers to forge SMF callbacks and potentially corrupt AF traffic-influence or PFD-management subscription views, leading to unauthorized policy changes.","title":"free5GC NEF Unauthenticated Callback Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-free5gc-nef-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — NEF","version":"https://jsonfeed.org/version/1.1"}