Open5GS Use-After-Free Vulnerability in NRF Component

A use-after-free vulnerability has been identified in Open5GS versions prior to 2.7.7, specifically within the NRF component. The issue arises in the 'discover_handler' function of the 'nghttp2-server.c' library. This vulnerability can be exploited remotely, leading to a crash of the NRF service. The problem occurs during inter-PLMN discovery forwarding when a delayed Home-NRF response is received after the original client has disconnected, causing the NRF to reuse a freed stream pointer and abort the operation.

Impact

Exploitation of this vulnerability causes the NRF component to crash, terminating the service and potentially disrupting ongoing operations that rely on it.

Reproduction

The vulnerability can be reproduced by starting a fake Home-NRF service that simulates delayed responses. After initiating an inter-PLMN request from the NRF component, the fake Home-NRF can be switched to delayed mode. If the request is sent with a short timeout, the original client stream will disconnect before the delayed response is received, causing the NRF to crash when it attempts to process the response using a stale pointer.