Open5GS MME Buffer Overflow Vulnerability in S1AP ASN.1 Deserialization

A buffer overflow vulnerability has been identified in the Open5GS MME component, specifically in versions through 2.6.4. The issue arises within the S1AP handler's ASN.1 deserialization function, where improper handling of message lengths can lead to memory corruption. This vulnerability causes type confusion in the decoded fields, allowing for invalid parsing and manipulation of memory. An attacker could exploit this vulnerability to crash the MME or potentially execute arbitrary code under certain conditions.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the MME. Additionally, due to the nature of the buffer overflow, there is a potential for remote code execution, as demonstrated by a proof-of-concept exploit developed for a similar vulnerability in the SD-Core implementation.

Reproduction

The vulnerability can be reproduced by sending a crafted S1AP packet that exploits the ASN.1 deserialization function. This can be done by using a software-defined radio (SDR) to transmit the malformed packet over the air, or by sending it over the internet if the target network is accessible via Wi-Fi calling.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.