Open5GS MME Reachable Assertion Vulnerability in UE Context Release Request Packet Handling

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from a reachable assertion in the 'UE Context Release Request' packet handler. When a packet contains an invalid 'MME_UE_S1AP_ID' field, it triggers a crash in Open5GS. This vulnerability can be exploited by an attacker who repeatedly sends such packets, causing a persistent disruption of service.

Impact

Exploitation of this vulnerability leads to a crash of the Open5GS MME, causing a denial-of-service condition on the cellular network. This disruption affects all communications within the network, including voice calls, messaging, and data services.

Reproduction

To reproduce this vulnerability, send 'UE Context Release Request' S1AP packets to the Open5GS MME that contain invalid 'MME_UE_S1AP_ID' fields. The MME will crash upon processing these packets, leading to a denial-of-service condition on the network.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.