Magma Mobile Management Entity Null Pointer Dereference Vulnerability via Malformed Initial UE Message

A null pointer dereference vulnerability has been identified in the Mobile Management Entity (MME) of Magma versions through 1.8.0. This vulnerability allows network-adjacent attackers to crash the MME by sending an S1AP 'Initial UE Message' packet that omits the expected 'RRC Establishment Cause' field. The issue has been fixed in Magma version 1.9.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the Mobility Management Entity (MME), disrupting all cellular communications managed by the MME, including voice calls, messaging, and data services.

Reproduction

To reproduce this vulnerability, send an S1AP 'Initial UE Message' packet to the Magma MME. The packet must be crafted to exclude the 'RRC Establishment Cause' field. This can be done by an unauthenticated mobile device or, due to Wi-Fi calling services, by any entity on the Internet.

Remediation

Users can upgrade to Magma version 1.9 or later to address this vulnerability.