Open5GS BSF Component Denial-of-Service Vulnerability via Improper IPv6 Prefix Handling

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the BSF component. The issue arises in the function 'bsf_sess_find_by_ipv6prefix' in 'context.c', where the application crashes when the 'ipv6Prefix' argument is a valid IPv6 prefix length that is not '/128'. This flaw can be exploited remotely, causing the BSF process to terminate unexpectedly after failing an assertion check. The vulnerability was reported to the Open5GS project, but no response has been received yet.

Impact

Exploiting this vulnerability leads to a crash of the BSF process, causing a denial-of-service condition where the service becomes unavailable until manually restarted.

Reproduction

The vulnerability can be reproduced by sending a request to the '/nbsf-management/v1/pcfBindings' endpoint with an 'ipv6Prefix' parameter that has a prefix length other than '/128'. This can be done using either a GET request with a query parameter or a POST request with a JSON payload containing the 'ipv6Prefix' field. After the request is sent, the BSF container will crash, which can be verified by checking the container's logs and exit status.