Magma Mobile Management Entity Null Pointer Dereference Vulnerability via S1AP E-RAB Modification Indication Packet

A null pointer dereference vulnerability has been identified in the Mobile Management Entity (MME) of Magma versions through 1.8.0. This vulnerability allows network-adjacent attackers to crash the MME by sending an S1AP E-RAB Modification Indication packet that omits the required eNB_UE_S1AP_ID field. The issue has been addressed in Magma version 1.9.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the MME to crash and disrupt all cellular communications managed by that MME.

Reproduction

To reproduce this vulnerability, send an S1AP E-RAB Modification Indication packet to the Magma MME. Ensure that the packet is missing the eNB_UE_S1AP_ID field. This can be done by crafting a packet that complies with the S1AP protocol but intentionally omits the required field. Once the packet is received by the MME, it will cause a null pointer dereference, leading to a crash.

Remediation

Users can upgrade to Magma version 1.9 or later, where this vulnerability has been fixed.