Open5GS MME Assertion Failure Vulnerability via Malformed ASN.1 Packets

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion failure that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can send a 'UE Context Release Complete' message that omits the required 'MME_UE_S1AP_ID' field. This omission causes the MME to crash, leading to a persistent denial-of-service condition.

Impact

Exploitation of this vulnerability causes a crash of the Open5GS MME, disrupting all cellular communications managed by the MME. This includes phone calls, messaging, and data services, creating a city-wide service disruption.

Reproduction

The vulnerability can be reproduced by sending a 'UE Context Release Complete' message over the S1AP interface, using a malformed packet that excludes the 'MME_UE_S1AP_ID' field. This can be done by an unauthenticated mobile device, or by an attacker with access to the IPsec network used by base stations to communicate with the cellular core.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.