Open5GS NRF Denial-of-Service Vulnerability via Oversized Service Names

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the NRF component. The issue arises in the library '/lib/sbi/message.c', where an unknown function fails to properly handle oversized 'service-names' in discovery queries. This oversight allows for remote exploitation, causing the NRF process to crash. The vulnerability has been publicly disclosed, and although the project was notified earlier, no response has been made.

Impact

Exploitation of this vulnerability leads to a crash of the NRF process, causing a denial-of-service condition where the service becomes unavailable.

Reproduction

The vulnerability can be reproduced by sending a 'GET' request to the '/nnrf-disc/v1/nf-instances' endpoint with the 'service-names' parameter containing more items than the maximum allowed. This oversized input causes an assertion failure in the discovery query parser, leading to a crash. The process exit code will be '139', indicating a segmentation fault.