Open5GS MME Assertion Failure Vulnerability in S1AP Interface Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion failure that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can exploit this vulnerability by sending an 'E-RAB Modification Indication' message that omits the required 'MME_UE_S1AP_ID' field. This exploitation causes the MME to crash, disrupting service.

Impact

Exploitation of this vulnerability leads to a persistent crash of the Open5GS MME, causing a denial-of-service condition that disrupts all cellular communications managed by the MME, including voice calls, messaging, and data services.

Reproduction

To reproduce this vulnerability, send an 'E-RAB Modification Indication' S1AP message to the Open5GS MME that is missing the 'MME_UE_S1AP_ID' field. This can be done by establishing a connection as an unauthenticated user and transmitting the crafted message over the S1AP interface.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.