Open5GS MME Assertion Failure Vulnerability in S1AP Interface Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion failure that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can exploit this vulnerability by sending an 'Initial Context Setup Failure' message that omits the required 'MME_UE_S1AP_ID' field. This exploitation causes the MME to crash, disrupting service.

Impact

Exploitation of this vulnerability leads to a persistent crash of the Mobility Management Entity (MME), causing a city-wide disruption of all cellular communications, including phone calls, messaging, and data services.

Reproduction

The vulnerability can be reproduced by sending a crafted 'Initial Context Setup Failure' message over the S1AP interface, using a packet that lacks the 'MME_UE_S1AP_ID' field. This can be done by an unauthenticated user, without the need for a SIM card or special equipment.