Open5GS Denial-of-Service Vulnerability in NRF Component

A denial-of-service vulnerability has been identified in Open5GS versions through 2.7.7, specifically within the Network Repository Function (NRF) component. The issue arises in the 'ogs_sbi_subscription_data_add' and 'ogs_sbi_nf_service_add' functions, located in the '/lib/sbi/context.c' file. The vulnerability can be exploited remotely, leading to a crash of the NRF process. This issue has been publicly disclosed and is associated with a resource exhaustion problem, where the subscription or service pools become full, causing the application to assert and terminate.

Impact

Exploitation of this vulnerability causes the NRF process to crash, exiting with a code that indicates an assertion failure. This abrupt termination can disrupt services that rely on the NRF component.

Reproduction

The vulnerability can be reproduced by sending repeated valid 'POST /nnrf-nfm/v1/subscriptions' requests. This floods the subscription pool, which is fixed in size and can be exhausted, leading to a crash. Alternatively, the issue can be triggered by direct server-side registration requests that include an excessive number of NF services, or by inter-PLMN discovery responses that contain oversized service payloads.

Remediation

A patch has been released in Open5GS version 2.7.8, which replaces the assertion on pool exhaustion with a graceful error handling approach. This allows the NRF to reject excessive subscription or service requests without crashing.