Open5GS MME Assertion Failure Vulnerability in S1AP Interface Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion failure that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can exploit this vulnerability by sending a 'UE Capability Info Indication' message that omits the required 'MME_UE_S1AP_ID' field. This exploitation causes the MME to crash repeatedly, leading to a persistent disruption of service.

Impact

Exploitation of this vulnerability causes the Open5GS MME to crash, disrupting all cellular communications managed by the MME, including phone calls, messaging, and data services. This disruption can persist until network operators identify and address the issue.

Reproduction

To reproduce this vulnerability, send a 'UE Capability Info Indication' message over the S1AP interface to an Open5GS MME instance running a vulnerable version. The message must be crafted to exclude the 'MME_UE_S1AP_ID' field. This can be done using a software-defined radio (SDR) or, due to the availability of Wi-Fi calling services, potentially by any entity on the Internet without a SIM card or SDR equipment.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.