Open5GS Denial-of-Service Vulnerability in PCF NBSF Management Handler

A denial-of-service vulnerability has been identified in Open5GS versions prior to 2.7.7. The issue arises in the PCF component, specifically within the NBSF management registration handling function. When the function processes a registration response from the BSF that contains a malformed 'Location' header, it can cause the PCF to crash. This vulnerability can be exploited remotely, and the issue has been publicly disclosed.

Impact

Exploitation of this vulnerability leads to a crash of the PCF process, causing a denial-of-service condition where the PCF instance is restarted, disrupting service.

Reproduction

The vulnerability can be reproduced by sending a POST request to the '/npcf-smpolicycontrol/v1/sm-policies' endpoint with a malformed 'Location' header in the response from the BSF. This can be done using a fake BSF service that returns a '201 Created' status but with an invalid 'Location' header that omits the required binding ID. The PCF will crash immediately upon receiving the malformed response.