Open5GS NSSF Component Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the NSSF component. The issue arises in the function 'nssf_nnrf_nsselection_handle_get_from_amf_or_vnssf' in 'nnssf-handler.c'. When a client sends a request that includes 'home-plmn-id' and 'homeSnssai' slice information, and the local NSSF configuration lacks a serving PLMN ID, the NSSF process crashes. This occurs because the handler asserts that at least one serving PLMN is configured before processing the request, leading to an assertion failure and process termination. The vulnerability can be exploited remotely, causing a crash of the NSSF service.

Impact

Exploitation of this vulnerability causes the NSSF process to crash, disrupting service and potentially leading to a denial of functionality for dependent processes or services.

Reproduction

The vulnerability can be reproduced by sending a 'GET' request to the '/nnssf-nsselection/v2/network-slice-information' endpoint. The request must include a 'home-plmn-id' and 'slice-info-request-for-pdu-session.homeSnssai' payload, while the local NSSF configuration must not have a serving PLMN ID defined. This can be done using 'curl' with HTTP/2 prior knowledge, targeting the NSSF service in a Docker deployment where the serving PLMN configuration is absent.