NextEPC MME Stack-Based Buffer Overflow Vulnerability in Emergency Number List Decoding
Vulnerability
A stack-based buffer overflow vulnerability has been identified in the NextEPC MME version 1.0.1 and prior. This vulnerability arises in the Emergency Number List decoding method, where an attacker can send a NAS message with an oversized Emergency Number List value. The exploitation of this vulnerability allows the attacker to overwrite the stack with arbitrary bytes. Notably, this issue can be exploited by an attacker with a cellphone connection to any base station managed by the MME, without the need for authentication with the LTE core.
Impact
Exploitation of this vulnerability leads to a stack-based buffer overflow, which can commonly be used to execute arbitrary code or cause a denial-of-service condition by crashing the application.
Reproduction
To reproduce this vulnerability, send a NAS message to the MME that includes an oversized Emergency Number List value. This can be done by an attacker with a cellphone connection to any base station managed by the MME, without requiring authentication.
Remediation
Users can upgrade to NextEPC version 1.6 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.