Login Sign Up

CVE-2023-37006

5.3 MEDIUM
Denial of Service

📋 TL;DR

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packets on the S1AP interface. Attackers can send Handover Request Ack messages missing the required MME_UE_S1AP_ID field to repeatedly crash the MME service, causing denial of service. This affects cellular network operators and organizations using Open5GS for 4G/5G core network testing or deployment.

💻 Affected Systems

Products:
  • Open5GS MME
Versions: <= 2.6.4
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with S1AP interface enabled and accessible to attackers.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained MME crashes leading to complete cellular service outage for affected network segment, preventing all voice/data connectivity.

🟠

Likely Case

Intermittent service disruptions as MME restarts after crashes, causing dropped calls and connection failures.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and response.

🌐 Internet-Facing: MEDIUM - S1AP interface typically not directly internet-exposed but could be reachable in misconfigured or test environments.
🏢 Internal Only: HIGH - Within cellular network infrastructure, attackers with internal access can easily exploit this to disrupt services.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple packet crafting required. No authentication needed if S1AP interface is reachable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.5

Vendor Advisory: https://github.com/open5gs/open5gs/releases/tag/v2.6.5

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Open5GS to version 2.6.5 or later. 3. Restart MME service. 4. Verify service is running correctly.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to S1AP interface (port 36412) to only trusted eNodeBs using firewall rules.

iptables -A INPUT -p sctp --dport 36412 -s trusted_eNodeB_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit S1AP interface exposure
  • Deploy monitoring and alerting for MME process crashes with automated restart capabilities

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs-mmed --version. If version <= 2.6.4 and S1AP interface is enabled, system is vulnerable.

Check Version:

open5gs-mmed --version

Verify Fix Applied:

After patching, verify version is >= 2.6.5 and test with legitimate S1AP traffic to ensure service remains stable.

📡 Detection & Monitoring

Log Indicators:

  • MME process crashes/restarts in system logs
  • ASN.1 parsing errors in Open5GS logs
  • Repeated 'assertion failed' messages

Network Indicators:

  • Unusual S1AP traffic from unexpected sources
  • Handover Request Ack messages missing MME_UE_S1AP_ID field

SIEM Query:

source="open5gs.log" AND ("assertion" OR "crash" OR "S1AP")

📊 Metadata

CVE ID: CVE-2023-37006
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-617
EPSS Score: 0.04% exploit probability (9.8th percentile)
Published: January 22, 2025
Last Updated: April 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37006, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)