CVE-2023-37002 – This vulnerability allows remote attackers to c... (How to Fix)

Q: How do I fix CVE-2023-37002?

1. Backup current configuration. 2. Update Open5GS to version 2.6.5 or later. 3. Restart MME service. 4. Verify service is running correctly.

Q: What is the severity of CVE-2023-37002?

CVE-2023-37002 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows remote attackers to cause denial of service in Open5GS MME by sending specially crafted ASN.1 packets over the S1AP interface. The missing MME_UE_S1AP_ID field triggers an assertion failure that crashes the MME service. Mobile network operators using vulnerable Open5GS deployments are affected.

📋 TL;DR

This vulnerability allows remote attackers to cause denial of service in Open5GS MME by sending specially crafted ASN.1 packets over the S1AP interface. The missing MME_UE_S1AP_ID field triggers an assertion failure that crashes the MME service. Mobile network operators using vulnerable Open5GS deployments are affected.

💻 Affected Systems

Products:

Open5GS MME

Versions: <= 2.6.4

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments with S1AP interface exposed to untrusted networks. Requires attacker access to S1AP interface.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained MME crashes could disrupt cellular service for an entire coverage area, preventing users from making/receiving calls and data connections.

🟠

Likely Case

Intermittent service disruptions affecting subsets of users as MME restarts, with potential for cascading failures in the mobile core network.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and restart of affected services.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to S1AP interface but no authentication. Simple malformed packet construction needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.5

Vendor Advisory: https://github.com/open5gs/open5gs/releases/tag/v2.6.5

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Open5GS to version 2.6.5 or later. 3. Restart MME service. 4. Verify service is running correctly.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to S1AP interface (port 36412) to trusted eNodeBs only using firewall rules.

iptables -A INPUT -p sctp --dport 36412 -s trusted_eNodeB_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit S1AP interface exposure
Deploy monitoring and automated restart mechanisms for MME service

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs-mmed --version. If version <= 2.6.4 and S1AP interface is exposed, system is vulnerable.

Check Version:

open5gs-mmed --version

Verify Fix Applied:

Verify version is >= 2.6.5 and test with legitimate S1AP traffic to ensure MME remains stable.

📡 Detection & Monitoring

Log Indicators:

MME assertion failures
MME service crashes
S1AP connection resets from unexpected sources

Network Indicators:

Malformed S1AP packets
E-RAB Modification Indication messages missing MME_UE_S1AP_ID field

SIEM Query:

source="open5gs-mme.log" AND ("assertion" OR "crash" OR "abort")

📊 Metadata

CVE ID: CVE-2023-37002

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-617

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: January 22, 2025

Last Updated: April 22, 2025

🔗 References

https://cellularsecurity.org/ransacked Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37002, you might also want to check these: