Open5GS NULL Pointer Dereference Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS version 2.7.5. The issue arises in the Service-Based Interface (SBI) of multiple network functions, including AMF, AUSF, BSF, NRF, NSSF, PCF, SMF, UDM, and UDR. The vulnerability is caused by the 'parse_multipart' function in 'lib/sbi/message.c', which improperly handles 'multipart/related' HTTP POST requests with empty bodies. This oversight leads to a NULL pointer dereference, causing a segmentation fault and crashing the affected service.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the affected SBI service.

Reproduction

The vulnerability can be reproduced by sending a 'multipart/related' HTTP POST request with an empty body to the SBI endpoints of the affected network functions. This can be done using a crafted Rust program that connects to the appropriate addresses and ports of the Open5GS components.

Remediation

Users can update to Open5GS version 2.7.6 or later, where this vulnerability has been fixed.