CVE-2023-37010
📋 TL;DR
This vulnerability allows remote attackers to cause denial of service by sending specially crafted ASN.1 packets to Open5GS MME servers. Attackers can repeatedly crash the MME service by sending malformed eNB Status Transfer messages missing required fields. This affects all deployments running vulnerable Open5GS MME versions.
💻 Affected Systems
- Open5GS MME
📦 What is this software?
Open5gs by Open5gs
⚠️ Risk & Real-World Impact
Worst Case
Sustained MME crashes causing complete cellular network service disruption for affected subscribers, potentially affecting emergency services and critical communications.
Likely Case
Intermittent service outages and degraded network performance as MME restarts repeatedly, impacting subscriber connectivity and call/session establishment.
If Mitigated
Limited impact with proper network segmentation and monitoring, allowing quick detection and response to attack attempts.
🎯 Exploit Status
Exploitation requires network access to the S1AP interface but no authentication. The attack is simple to implement once the protocol is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.5 and later
Vendor Advisory: https://github.com/open5gs/open5gs/releases
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Open5GS to version 2.6.5 or later. 3. Restart MME service. 4. Verify service functionality.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict S1AP interface access to trusted eNBs only using firewall rules.
iptables -A INPUT -p sctp --dport 36412 -s trusted_eNB_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP
Rate Limiting
linuxImplement rate limiting on S1AP connections to prevent rapid exploitation attempts.
iptables -A INPUT -p sctp --dport 36412 -m limit --limit 10/min --limit-burst 20 -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit S1AP interface exposure to only authorized eNBs.
- Deploy intrusion detection systems monitoring for malformed S1AP packets and implement automated alerting for MME crash events.
🔍 How to Verify
Check if Vulnerable:
Check Open5GS version: open5gs-mmed --version. If version is 2.6.4 or earlier, system is vulnerable.Check Version:
open5gs-mmed --versionVerify Fix Applied:
After patching, verify version is 2.6.5 or later and test with valid S1AP traffic to ensure MME remains stable.📡 Detection & Monitoring
Log Indicators:
- MME process crashes/restarts in system logs
- ASN.1 decoding errors in Open5GS logs
- Abnormal S1AP connection attempts
Network Indicators:
- Malformed eNB Status Transfer messages missing MME_UE_S1AP_ID field
- Rapid S1AP connection attempts from single source
SIEM Query:
source="open5gs.log" AND ("assertion failed" OR "MME crash" OR "ASN.1 error")