free5GC NRF Improper Input Validation Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in free5GC's NRF component, specifically in versions prior to 1.4.2. The issue arises from improper input validation in the 'EncodeGroupId' function, which processes the 'group-id-list' parameter. The function accesses array indices without verifying the data length, allowing a remote attacker to send a crafted HTTP GET request that causes the service to panic and crash. This disruption affects all deployments of free5GC using the NRF discovery service.

Impact

Exploitation of this vulnerability causes the NRF service to panic and crash, leading to a complete denial-of-service for the NRF discovery service.

Reproduction

The vulnerability can be reproduced by sending an HTTP GET request to the NRF discovery service with a malformed 'group-id-list' parameter that lacks sufficient separator characters. This can be done using a tool like curl, after disabling OAuth in the nrfcfg.yaml file.

Remediation

Users are advised to upgrade to free5GC NRF version 1.4.2 or later, and to restrict access to the NRF API to trusted sources only.