Login Sign Up

CVE-2023-37013

7.3 HIGH
Denial of Service

📋 TL;DR

CVE-2023-37013 is a denial-of-service vulnerability in Open5GS MME where attackers can send oversized ASN.1 packets over S1AP to trigger an assertion failure and crash the service. This affects all deployments running Open5GS MME versions 2.6.4 and earlier. Mobile network operators and telecom infrastructure providers using Open5GS are impacted.

💻 Affected Systems

Products:
  • Open5GS MME
Versions: <= 2.6.4
Operating Systems: Linux, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using vulnerable Open5GS MME versions are affected regardless of configuration.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained DoS attack could cause complete MME service unavailability, disrupting mobile network connectivity for all users in the affected area.

🟠

Likely Case

Intermittent service crashes leading to temporary mobile connectivity disruptions and increased operational overhead for service restoration.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to isolated network segments with quick detection and recovery.

🌐 Internet-Facing: MEDIUM - S1AP interface is typically not directly internet-facing but may be exposed in some network architectures.
🏢 Internal Only: HIGH - Attackers with access to the core network or adjacent systems can exploit this to disrupt mobile services.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires network access to S1AP interface and knowledge of S1AP protocol. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.5 and later

Vendor Advisory: https://github.com/open5gs/open5gs/releases

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Open5GS MME service. 3. Update to Open5GS version 2.6.5 or later. 4. Restart Open5GS MME service. 5. Verify service is running correctly.

🔧 Temporary Workarounds

Network Segmentation

Linux

Restrict S1AP interface access to trusted eNodeBs only using firewall rules.

iptables -A INPUT -p sctp --dport 36412 -s trusted_eNodeB_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit S1AP interface exposure
  • Deploy monitoring and alerting for MME service crashes with automated restart capabilities

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs-mmed --version. If version <= 2.6.4, system is vulnerable.

Check Version:

open5gs-mmed --version

Verify Fix Applied:

After patching, verify version is >= 2.6.5 and test with legitimate S1AP traffic to ensure service stability.

📡 Detection & Monitoring

Log Indicators:

  • MME service crash logs
  • Assertion failure messages in Open5GS logs
  • ogs_sctp_recvmsg error messages

Network Indicators:

  • Unusually large S1AP packets (> typical MTU)
  • Multiple SCTP connections with oversized payloads

SIEM Query:

source="open5gs.log" AND ("assertion" OR "crash" OR "ogs_sctp_recvmsg")

📊 Metadata

CVE ID: CVE-2023-37013
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-617
EPSS Score: 0.09% exploit probability (26th percentile)
Published: January 22, 2025
Last Updated: April 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37013, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)