Open5GS NRF Denial-of-Service Vulnerability via Client Pool Exhaustion

A denial-of-service vulnerability exists in Open5GS versions through 2.7.7, specifically within the NRF component. The issue arises in the function 'ogs_sbi_client_add' located in '/lib/sbi/client.c'. The vulnerability allows for remote exploitation by manipulating the 'client_pool' argument, leading to resource exhaustion. This causes the NRF process to crash, as the 'client_pool' is prematurely depleted before reaching the subscription pool exhaustion threshold.

Impact

Exhaustion of the client pool in the NRF component, causing the process to crash and exit with code 139.

Reproduction

The vulnerability can be reproduced by sending repeated 'POST /nnrf-nfm/v1/subscriptions' requests with different 'nfStatusNotificationUri' hosts. This exhausts the 'client_pool', which is limited to 64 by default, causing NRF to crash. The issue can be verified by checking the container's exit status and logs, which will indicate the crash after the client pool is exhausted.