Open5GS MME Assertion Failure Vulnerability in S1AP Handover Cancel Message

A denial-of-service vulnerability exists in Open5GS MME versions through 2.6.4. The issue arises from an assertion that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can send a 'Handover Cancel' message that omits the required 'MME_UE_S1AP_ID' field, causing the MME to crash. This vulnerability can be exploited repeatedly, leading to a persistent disruption of service.

Impact

Exploitation of this vulnerability causes the Open5GS MME to crash, disrupting all cellular communications managed by the MME, including phone calls, messaging, and data services. This denial-of-service condition persists until the vulnerability is patched and the MME is restarted.

Reproduction

To reproduce this vulnerability, send a 'Handover Cancel' message over the S1AP interface to an Open5GS MME instance running a vulnerable version. The message must be crafted to exclude the 'MME_UE_S1AP_ID' field. This can be done using a software-defined radio (SDR) or, due to a recent change in Open5GS, over the internet by sending a few packets to the MME.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.