Open5GS MME Assertion Failure Vulnerability in S1AP Handover Notification Handling

A vulnerability exists in Open5GS MME versions through 2.6.4, where an assertion can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. The issue arises when a 'Handover Notification' message is sent without the required 'MME_UE_S1AP_ID' field, causing the MME to crash and leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes a persistent denial-of-service condition by crashing the MME, disrupting all cellular communications managed by the entity.

Reproduction

To reproduce this vulnerability, send a 'Handover Notification' message over the S1AP interface to an Open5GS MME instance running a vulnerable version. The message must omit the 'MME_UE_S1AP_ID' field. This can be done using a tool that can send ASN.1 packets over S1AP, such as a software-defined radio (SDR) or via the Internet if the MME is accessible.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.