Executive Summary

This vulnerability exists in Open5GS up to version 2.7.7, specifically in the shared NF-profile parser component located in the file lib/sbi/nnrf-handler.c. The issue arises when the parser processes an oversized list of TAC ranges within NFProfile messages. The parser uses fixed-size arrays and does not properly handle inputs exceeding these limits, leading to assertion failures and crashes of the network function processes.

An attacker can exploit this vulnerability remotely by sending a maliciously crafted NFProfile payload containing an excessive number of TAC ranges (17 or more), which causes the parser to abort and results in a denial-of-service (DoS) condition affecting multiple network functions such as NRF, AMF, SMF, and others.

A patch has been developed that implements pre-validation to reject oversized lists before processing and modifies the parser to gracefully handle oversized inputs without crashing.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is a denial-of-service (DoS) condition on the Open5GS network functions that rely on the shared NF-profile parser. When exploited, the affected processes (such as NRF, AMF, SMF, and others) crash and terminate unexpectedly, disrupting the operation of the 5G core network.

This disruption can lead to network instability, loss of service availability, and potential interruption of mobile network services dependent on these core functions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal termination of Open5GS network functions such as NRF, AMF, SMF, and others that rely on the shared NF-profile parser. Specifically, look for process terminations with exit code 139 or SIGABRT signals related to the parsing of NFProfile messages.

Detection can involve capturing and analyzing SBA (Service-Based Architecture) traffic to identify NFProfile messages containing oversized inner lists, such as more than 16 entries in the tacRangeList or dnnSmfInfoList fields.

While no explicit commands are provided in the resources, network administrators can use packet capture tools like tcpdump or Wireshark to filter and inspect NFProfile messages for unusually large inner lists.

• Use tcpdump to capture SBA traffic on the relevant interface: tcpdump -i <interface> -w capture.pcap
• Analyze the capture with Wireshark or similar tools to inspect NFProfile payloads for oversized tacRangeList or dnnSmfInfoList entries.
• Monitor Open5GS logs and system logs for crashes or assertion failures related to lib/sbi/nnrf-handler.c.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the patch provided by the Open5GS project that addresses this vulnerability.

The patch implements a two-tier defense: it adds pre-validation to reject oversized NFProfile inner lists with HTTP 400 Bad Request responses during registration, and it modifies the parser to gracefully cap and break oversized lists instead of crashing.

Until the patch is applied, consider monitoring and filtering incoming NFProfile messages to block or limit those with oversized inner lists to prevent triggering the denial-of-service condition.

Regularly update Open5GS to the latest version beyond 2.7.7 where this fix is included.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0