Magma Type Confusion Vulnerability in NAS Message Decoding Allows Arbitrary Code Execution or Denial-of-Service

A type confusion vulnerability has been identified in the NAS message decoding function of Magma versions through 1.8.0. This vulnerability allows attackers to execute arbitrary code or cause a denial-of-service condition by sending a crafted NAS packet. The issue arises from improper handling of the packet's contents, leading to memory corruption that can be exploited under certain conditions.

Impact

Exploitation of this vulnerability can result in arbitrary code execution or a denial-of-service condition, causing the affected system to crash or become unresponsive.

Reproduction

The vulnerability can be reproduced by sending a specially crafted NAS packet to the Magma 5G core network. This can be done over the N2 interface, which is used for communication between the Access and Mobility Management Function (AMF) and the Radio Access Network (RAN). The crafted packet should exploit the type confusion in the NAS message handling, particularly by manipulating the message to trigger the uninitialized memory access or buffer overflow conditions.

Remediation

Users can upgrade to Magma version 1.9.0 or later, where this vulnerability has been fixed.