Free5gc webconsole come with a default username Admin and by using this username as a token header and without any password or authentication ,it's possible to leak all the information below :
Registered UEs (plmnID,ueId)
Subscriber information (AccessType,CmState,Guti,Mcc,Mnc,Dnn,PduSessionId,Sd,SmContextRef,Sst,Supi,Tac)
* Financial impact: None or not known.
* Confidentiality impact: High: It is possible to an attacker to leak Registered UEs (plmnID,ueId),Subscriber information (AccessType,CmState,Guti,Mcc,Mnc,Dnn,PduSessionId,Sd,SmContextRef,Sst,Supi,Tac) , Tenant and User
* Integrity impact: None or not known.
* Availability impact: None or not known.
CVSS Base Score: 7.5
Impact Subscore: 3.6
Exploitability Subscore: 3.9
CVSS Temporal Score: 7.5
CVSS Environmental Score: 7.5
CVSS v3 Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X)
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Proposed Fix:
Consider generating a complex random token and give it an expiration date.
The text was updated successfully, but these errors were encountered:
p1-aji
changed the title
[Bugs] Registered UEs,Subscriber information,Tenants and User leakage via the Free5gc webconsole without authentication
[Bugs] Leaking Registered UEs,Subscriber information,Tenants and User via the Free5gc webconsole without authentication
Aug 24, 2022
I'm not the developer of free5gc, for me, it's a feature 😃
But really who is concerned by this? From my point of view this implementation is not targeting businesses, but engineers that want to test and learn 5G.
Keeping it simple and not hiding information makes it better - at least when the part is not standardized.
But really who is concerned by this? From my point of view this implementation is not targeting businesses, but engineers that want to test and learn 5G.
I disagree. First because when looking at the main page, it never says that it is for education purposes only. If it was for education purposes only, there should be a huge warning sign not to use it in production.
And second, I think there are some companies out there who want to use free5gc as a core network in production. The main page explicitly states that the Apache license allows free usage for commercial purposes. This is usually not something that you would need to mention (because the Apache license is included in the repository and is generally a well-known license). I guess the reason it is mentioned is because people asked. And people usually ask this because they at least think about using it in production for commercial purposes.
A student at my university did some scans on Shodan and similar sites. She found many exposed free5gc all over the world. I admit it is hard to find out whether these instances are for education / research purpose or for production use, but some of them seem to belong to actual mobile network operators.
Keeping it simple and not hiding information makes it better - at least when the part is not standardized.
Having secure access control would not heavily impact your ability to play around with free5gc. You would just have to add an extra step to handle some kind of security token. and then you could just proceed to do whatever you did before.
Bug Description
Free5gc webconsole come with a default username Admin and by using this username as a token header and without any password or authentication ,it's possible to leak all the information below :
Steps To Reproduce
Environment :
Risk and Impact
Risk : RISK_INFRASTRUCTURE_INFO_LEAK
Impact: TECH_IMPACT_INFO_DISCLOSURE
Proposed Fix:
Consider generating a complex random token and give it an expiration date.
The text was updated successfully, but these errors were encountered: