Open5GS MME Reachable Assertion Vulnerability in Uplink NAS Transport Packet Handler

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from a reachable assertion in the 'Uplink NAS Transport' packet handler, where a packet lacking the 'MME_UE_S1AP_ID' field causes the application to crash. This vulnerability can be exploited by an attacker who repeatedly sends such packets, leading to a persistent disruption of service.

Impact

Exploitation of this vulnerability causes a crash of the Open5GS MME, disrupting all cellular communications managed by the MME, including voice calls, messaging, and data services. This denial-of-service condition persists until network operators can identify and address the issue.

Reproduction

The vulnerability can be reproduced by sending 'Uplink NAS Transport' S1AP packets that omit the 'MME_UE_S1AP_ID' field. This can be done by an unauthenticated mobile device or, potentially, by an entity on the Internet, taking advantage of misconfigurations that allow such packets to reach the Open5GS MME.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.