free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network attacker who can reach NEF on the SBI can use a forged or arbitrary bearer token (e.g. Authorization: Bearer not-a-real-token) to read PFD application data via GET /applications and GET /applications/{appID}, and to create or delete PFD change-notification subscriptions via POST /subscriptions and DELETE /subscriptions/{subID}. Same root cause as the other NEF SBI findings: the route group is mounted without any inbound auth middleware. Unlike the OAM and traffic-influence groups, nnef-pfdmanagement IS declared in the runtime ServiceList, so this is the production-intended path that operators expect to be protected by OAuth2 setting receive from NRF: true -- and it is not. This vulnerability is fixed in 4.2.2.
The nnef-pfdmanagement route group is mounted in NEF without any middleware verifying the incoming authorization token. This means that the 'Authorization: Bearer <anything>' header is accepted without validation, and actual caller identity verification does not occur. Although nnef-pfdmanagement is listed in the production ServiceList and should be protected by the OAuth2 setting 'receive from NRF: true', this protection is not actually enforced. Thus, any entity with network access to the NEF SBI interface can perform GET /applications, GET /applications/{appID}, POST /subscriptions, and DELETE /subscriptions/{subID} operations without authentication.
An attacker with network access to the SBI can read PFD application configuration data (confidentiality breach) and create or delete PFD change notification subscriptions, which may disrupt the operation of the production 5G Core network (integrity and availability breach).
Update free5GC to version 4.2.2 or later, where the vulnerability has been fixed. Additionally, until updating, it is recommended to restrict network access to the NEF SBI interface exclusively to trusted core network components using firewall rules or network segmentation.
free5GC in all versions before 4.2.2 — affects the NEF (Network Exposure Function) component in the 5G Core network implementation
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:HFree5gc
APPFree5Gc< 4.2.2
Related vulnerabilities
free5GC SMF: brak autoryzacji OAuth2 na endpointach UPI — pełny dostęp bez uwierzytelnienia
Brak autoryzacji OAuth2 w grupie tras OAM w free5GC NEF (5G core)
Brak autoryzacji OAuth2 w API NEF systemu free5GC (5G core)
Brak autoryzacji OAuth2 w NEF API sieci 5G (free5GC)
Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different acti...