Open5GS Shared NF-Profile Parser Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7. The issue arises in the shared NF-profile parser within the file lib/sbi/nnrf-handler.c. When the 'tacRangeList' contains more entries than the parser can handle, it causes an assertion failure, leading to a crash. This vulnerability can be exploited remotely, and the crash occurs in the Network Function (NF) Repository Function (NRF), but the affected parser is used by multiple network functions.

Impact

Exploiting this vulnerability causes the Open5GS process to crash, terminating the HTTP/2 stream and exiting with a code indicating a segmentation fault.

Reproduction

The vulnerability can be reproduced by sending a PUT request to the NRF with an NF instance that includes an oversized 'tacRangeList'. This can be done using a crafted payload that exceeds the internal limits, which will trigger the assertion failure and crash the process.

Remediation

Users are advised to update to the patched version of Open5GS, which is available in the official repository.