Open5GS MME Assertion Failure Vulnerability in S1AP Interface Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Open5GS MME versions through 2.6.4. The issue arises from an assertion failure that can be remotely triggered by sending a malformed ASN.1 packet over the S1AP interface. Specifically, an attacker can exploit this vulnerability by sending an 'Initial UE Message' that omits the required 'NAS_PDU' field. This exploitation causes the MME to crash repeatedly, disrupting service.

Impact

Exploitation of this vulnerability causes the Open5GS MME to crash, leading to a denial-of-service condition on the cellular network. This disruption affects all communications within the network, including voice calls, messaging, and data services.

Reproduction

To reproduce this vulnerability, send an 'Initial UE Message' S1AP packet to the Open5GS MME that is missing the 'NAS_PDU' field. This can be done by an unauthenticated mobile device or, due to the availability of Wi-Fi Calling services, by any entity on the Internet.

Remediation

Users can upgrade to Open5GS version 2.7.0 or later, where this vulnerability has been fixed.