Open5GS Denial-of-Service Vulnerability in NRF Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the function ogs_nnrf_nfm_handle_nf_profile in the file lib/sbi/nnrf-handler.c, part of the NRF component. This vulnerability allows for remote exploitation, causing the NRF process to crash by exhausting the NF instance pool. The issue arises when a Home-PLMN NRF response contains an excessive number of unique NF instances, leading to resource exhaustion and an assertion failure that terminates the process.

Impact

Exploiting this vulnerability causes the local NRF process to crash, exiting with code 139, which indicates a segmentation fault. This interruption can disrupt services relying on the NRF component.

Reproduction

The vulnerability can be reproduced by sending an inter-PLMN discovery request to a Home-PLMN NRF that is controlled to respond with a large number of distinct NF instances. This can be done by running a fake Home NRF that simulates the response, then initiating the discovery request from the local NRF. The local NRF will crash after processing the response with too many instances, demonstrating the denial-of-service condition.

Remediation

A pull request has been submitted to address this vulnerability by replacing the assertion that causes the crash with a more graceful handling of the situation, capping the number of instances and preventing the resource exhaustion.