Open5GS NRF Denial-of-Service Vulnerability via Malformed PLMN List

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the NRF component. The issue arises in the function 'ogs_sbi_discovery_option_parse_plmn_list' located in '/lib/sbi/conv.c'. When the 'target-plmn-list' argument is manipulated to include invalid JSON, it leads to a crash. This vulnerability can be exploited remotely, causing the NRF process to terminate unexpectedly after failing an assertion check due to the improper input.

Impact

Exploitation of this vulnerability causes the NRF process to crash, disrupting service and potentially leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a GET request to the '/nnrf-disc/v1/nf-instances' endpoint with the 'target-plmn-list' parameter set to an invalid JSON string. After the request is sent, the NRF service can be checked to confirm that it has crashed due to the malformed input.