Open5GS NSSF Component Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the NSSF component. The issue arises in the function 'ogs_sbi_stream_find_by_id' located in the file '/lib/sbi/nghttp2-server.c'. The vulnerability can be exploited locally, causing a crash by manipulating the handling of delayed responses in the NSSF's client-response state machine.

Impact

Exploitation of this vulnerability leads to a crash of the NSSF component, causing it to exit with an error code after failing an assertion check.

Reproduction

The vulnerability can be reproduced by sending a request to the NSSF component that triggers an outbound query to a Home-NSSF server, while simultaneously disconnecting the original client before the response is received. This can be done by setting a short timeout on the request, causing it to abort before the delayed response arrives. The NSSF component will then crash when it attempts to process the response, which is no longer associated with an active stream.