free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network attacker who can reach SMF on the SBI can hit UPI endpoints with no Authorization header at all, and the requests reach the SMF business handlers. In the running Docker lab this was directly demonstrated for read (GET /upi/v1/upNodesLinks), write (POST /upi/v1/upNodesLinks with attacker-controlled UP-node and link payload), and delete (DELETE /upi/v1/upNodesLinks/{nodeID}) operations. This vulnerability is fixed in 4.2.2.
The SMF component mounts a UPI management route group without middleware verifying OAuth2/bearer token. This means HTTP requests go directly to SMF business handlers, bypassing any identity control. In a Docker environment, it was confirmed that GET /upi/v1/upNodesLinks (read), POST /upi/v1/upNodesLinks with arbitrary attacker payload (write), and DELETE /upi/v1/upNodesLinks/{nodeID} (delete) operations are possible. The vulnerability results from missing authorization mechanisms (CWE-306: missing authentication for critical function, CWE-862: missing authorization verification).
An attacker with access to the SBI interface can read, modify, or delete User Plane node and connection configuration without authentication, which may lead to disruption or complete interruption of user traffic in the 5G core network and unauthorized takeover of User Plane topology control.
The SMF component should be updated to version 4.2.2, which introduces a fix adding required OAuth2/bearer-token authorization on UPI endpoints. Patch available in the repository: commit e23ce97565f285eb99eed153743c62bf4c767c6e in the free5gc/smf project. Until the update is applied, restrict network access to the SBI interface exclusively to trusted hosts using firewall or network rules.
free5GC SMF in all versions prior to 4.2.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:HFree5gc
APPFree5Gc< 4.2.2
Related vulnerabilities
free5GC NEF: brak autoryzacji OAuth2 na trasach nnef-pfdmanagement
Brak autoryzacji OAuth2 w grupie tras OAM w free5GC NEF (5G core)
Brak autoryzacji OAuth2 w API NEF systemu free5GC (5G core)
Brak autoryzacji OAuth2 w NEF API sieci 5G (free5GC)
Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different acti...