Open5GS MME S1AP Interface Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can send an 'S1Setup Request' message that omits the required 'Global eNB ID' field, causing the MME to crash. This exploitation can be repeated, leading to a persistent denial-of-service condition.

Impact

Exploitation of this vulnerability causes the Open5GS MME to crash, disrupting all cellular communications managed by the MME, including phone calls, messaging, and data services. This disruption can persist until the vulnerability is patched, potentially causing widespread service outages in the affected area.

Reproduction

To reproduce this vulnerability, send an 'S1Setup Request' message over the S1AP interface that lacks the 'Global eNB ID' field. This can be done by an unauthenticated mobile device or, due to the availability of Wi-Fi Calling services, by any entity on the Internet.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.