CVE-2023-37012 – Open5GS MME versions up to 2.6.4 contain a remo... (How to Fix)

Q: How do I fix CVE-2023-37012?

1. Backup current configuration. 2. Update Open5GS to version 2.6.5 or later. 3. Restart MME service. 4. Verify service is running correctly.

Q: What is the severity of CVE-2023-37012?

CVE-2023-37012 has a CVSS score of 5.3 (MEDIUM). Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packets on the S1AP interface. Attackers can send Initial UE Message packets missing the PLMN Identity field to repeatedly crash the MME service, causing denial of service. This affects all deployments using vulnerable Open5GS MME versions.

📋 TL;DR

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packets on the S1AP interface. Attackers can send Initial UE Message packets missing the PLMN Identity field to repeatedly crash the MME service, causing denial of service. This affects all deployments using vulnerable Open5GS MME versions.

💻 Affected Systems

Products:

Open5GS MME

Versions: <= 2.6.4

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using vulnerable Open5GS MME versions with S1AP interface enabled are affected.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained MME crashes leading to complete cellular network service disruption for affected area, preventing mobile device connectivity.

🟠

Likely Case

Intermittent MME service crashes causing temporary connectivity issues for mobile users until service restarts.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and response.

🌐 Internet-Facing: MEDIUM - S1AP interface typically not directly internet-facing but may be exposed in some network architectures.

🏢 Internal Only: HIGH - Attackers with internal network access or compromised network elements can easily exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted S1AP packets but does not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.5 and later

Vendor Advisory: https://github.com/open5gs/open5gs/security/advisories

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Open5GS to version 2.6.5 or later. 3. Restart MME service. 4. Verify service is running correctly.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict S1AP interface access to trusted eNodeBs only using firewall rules.

iptables -A INPUT -p sctp --dport 36412 -s trusted_enodeb_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit S1AP interface exposure
Deploy intrusion detection systems monitoring for malformed S1AP packets

🔍 How to Verify

Check if Vulnerable:

Check Open5GS MME version: open5gs-mmed --version

Check Version:

open5gs-mmed --version | grep -o 'version [0-9.]*'

Verify Fix Applied:

Verify version is 2.6.5 or later and monitor for MME crashes after patch.

📡 Detection & Monitoring

Log Indicators:

MME process crashes in system logs
Repeated MME service restarts
Assertion failure messages in Open5GS logs

Network Indicators:

Unusual S1AP packets missing PLMN Identity field
S1AP packets from untrusted sources

SIEM Query:

source="open5gs.logs" AND ("assertion" OR "crash" OR "abort") AND process="mmed"

📊 Metadata

CVE ID: CVE-2023-37012

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-617

EPSS Score: 0.04% exploit probability (9.8th percentile)

Published: January 22, 2025

Last Updated: April 22, 2025

🔗 References

https://cellularsecurity.org/ransacked Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37012, you might also want to check these: