Open5GS MME Assertion Failure Vulnerability in S1AP Interface Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion failure that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can send a 'Handover Request Ack' message that omits the required 'MME_UE_S1AP_ID' field, causing the MME to crash. This vulnerability disrupts cellular communications and could persist until network operators apply a patch.

Impact

Exploitation of this vulnerability causes the Open5GS MME to crash, leading to a denial-of-service condition that disrupts all cellular communications managed by the MME, including voice calls, messaging, and data services.

Reproduction

To reproduce this vulnerability, send a 'Handover Request Ack' message over the S1AP interface that lacks the 'MME_UE_S1AP_ID' field. This can be done by an unauthenticated mobile device or, potentially, by an entity on the Internet, taking advantage of misconfigurations that expose the S1AP interface to external traffic.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.