Open5GS MME Assertion-Related Denial-of-Service Vulnerability via Malformed ASN.1 Packets

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion that can be remotely triggered by sending a malformed 'UE Context Modification Response' message over the S1AP interface. The malformed message can omit a required 'MME_UE_S1AP_ID' field, causing the MME to crash. This vulnerability can be exploited repeatedly, leading to a persistent denial-of-service condition.

Impact

Exploitation of this vulnerability causes the Open5GS MME to crash, disrupting all cellular communications managed by the MME, including voice calls, messaging, and data services. This disruption can affect an entire metropolitan area or city.

Reproduction

The vulnerability can be reproduced by sending a 'UE Context Modification Response' message over the S1AP interface that lacks the 'MME_UE_S1AP_ID' field. This can be done using a software-defined radio (SDR) or over the Internet, taking advantage of Wi-Fi calling services that route packets to the cellular core.

Remediation

Users can upgrade to Open5GS MME version 2.7.0 or later, where this vulnerability has been fixed.