Magma Reachable Assertion Vulnerability in Access Point Name Decoding Function Allowing Denial-of-Service

A reachable assertion vulnerability has been identified in the Magma 5G core network implementation, specifically in versions through 1.8.0. This vulnerability resides in the 'decode_access_point_name_ie' function, where the absence of proper length checks allows attackers to craft NAS packets that, when received, trigger an assertion failure. This exploitation causes a denial-of-service condition by disrupting normal network operations.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the Magma AMF component to crash and disrupt cellular communications managed by the affected AMF.

Reproduction

The vulnerability can be reproduced by sending an 'Initial UE Message' S1AP packet that includes a malformed Access Point Name information element. The crafted packet should be designed to exploit the lack of length validation in the 'decode_access_point_name_ie' function, causing the assertion to trigger.

Remediation

Users can upgrade to Magma version 1.9.0 or later, where this vulnerability has been fixed.