Magma Mobile Management Entity Null Pointer Dereference Vulnerability via Malformed S1AP Reset Packet

A null pointer dereference vulnerability has been identified in the Mobile Management Entity (MME) component of Magma versions through 1.8.0. This vulnerability allows network-adjacent attackers to crash the MME by sending an S1AP Reset packet that omits the required ResetType field. The issue arises because the MME's S1AP handling routines do not properly validate the presence of this field before attempting to access it, leading to a crash when the field is missing.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the affected MME, disrupting all cellular communications managed by that entity.

Reproduction

To reproduce this vulnerability, send an S1AP Reset packet from a network-adjacent location to a Magma MME instance running a vulnerable version. The packet must be crafted to exclude the ResetType field, which will trigger the null pointer dereference and cause the MME to crash.

Remediation

Users can upgrade to Magma version 1.9 or later, where this vulnerability has been fixed.