Open5GS MME Path Switch Request Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can send a 'Path Switch Request' message that omits the required 'MME_UE_S1AP_ID' field, causing the MME to crash repeatedly.

Impact

Exploitation of this vulnerability causes the Open5GS MME to crash, disrupting all cellular communications managed by the MME, including phone calls, messaging, and data services. This denial-of-service condition persists until network operators can identify and address the issue.

Reproduction

To reproduce this vulnerability, send a 'Path Switch Request' S1AP message from an unauthenticated mobile device. The message must be crafted to exclude the 'MME_UE_S1AP_ID' field. This can be done using software-defined radio (SDR) equipment or, due to the availability of Wi-Fi calling services, over the Internet without a SIM card or SDR.