CVE-2023-4659
📋 TL;DR
This CVE describes a critical Cross-Site Request Forgery vulnerability in Free5GC where attackers can bypass authentication by manipulating tokens or omitting them entirely. Unprivileged remote users can perform administrative actions like creating, modifying, and deleting users. Any Free5GC deployment with the vulnerable version is affected.
💻 Affected Systems
- Free5GC
📦 What is this software?
Free5gc by Free5gc
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Free5GC platform allowing attackers to create admin accounts, delete legitimate users, modify configurations, and potentially disrupt 5G core network functions.
Likely Case
Unauthorized user creation and privilege escalation leading to persistent access and data manipulation within the affected Free5GC instance.
If Mitigated
Limited impact with proper CSRF protections and network segmentation in place, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires only web access and basic HTTP request manipulation. The vulnerability details are publicly documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not explicitly stated in provided references, but patches are available from Free5GC maintainers
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/cross-site-request-forgery-free5gc
Restart Required: Yes
Instructions:
1. Check Free5GC version. 2. Apply latest security patches from Free5GC repository. 3. Restart Free5GC services. 4. Verify token validation is properly implemented.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to Free5GC web interface to trusted networks only
iptables -A INPUT -p tcp --dport [Free5GC-web-port] -s [trusted-network] -j ACCEPT
iptables -A INPUT -p tcp --dport [Free5GC-web-port] -j DROP
Web Application Firewall Rules
allImplement WAF rules to block requests with manipulated tokens or missing authentication
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Free5GC web interface
- Deploy a reverse proxy with additional authentication and CSRF protection layers
🔍 How to Verify
Check if Vulnerable:
Test if HTTP requests to Free5GC endpoints succeed with token='admin' or without any token. Check if user management operations can be performed unauthenticated.Check Version:
Check Free5GC documentation or deployment configuration for version informationVerify Fix Applied:
Verify that requests with manipulated tokens are rejected and proper authentication is required for all user management operations.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful requests with unusual tokens
- User creation/modification/deletion from unexpected IP addresses
- Requests with token='admin' or missing tokens
Network Indicators:
- HTTP POST/GET/DELETE requests to user management endpoints without proper authentication headers
- Unusual patterns of administrative actions from non-admin accounts
SIEM Query:
source="free5gc" AND (token="admin" OR token=null) AND (action="create" OR action="delete" OR action="modify")