CVE-2023-37015 – This vulnerability allows remote attackers to c... (How to Fix)

Q: How do I fix CVE-2023-37015?

1. Backup current configuration. 2. Stop Open5GS MME service. 3. Update to Open5GS version 2.6.5 or later. 4. Restart Open5GS MME service. 5. Verify service is running correctly.

Q: What is the severity of CVE-2023-37015?

CVE-2023-37015 has a CVSS score of 8.6 (HIGH). This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 packets to Open5GS MME servers. Attackers can repeatedly crash the MME service by sending Path Switch Request messages missing required fields. This affects all deployments running vulnerable Open5GS MME versions.

📋 TL;DR

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 packets to Open5GS MME servers. Attackers can repeatedly crash the MME service by sending Path Switch Request messages missing required fields. This affects all deployments running vulnerable Open5GS MME versions.

💻 Affected Systems

Products:

Open5GS MME

Versions: <= 2.6.4

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with S1AP interface exposed to untrusted networks. MME must be reachable via S1AP protocol.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained MME crashes could disrupt cellular network services for all users in the affected area, preventing new connections and potentially dropping existing calls/data sessions.

🟠

Likely Case

Intermittent MME crashes causing service disruptions, dropped calls, and failed network attach procedures for mobile devices.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of S1AP protocol and ability to craft malformed ASN.1 packets. No authentication needed to trigger the crash.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.5 or later

Vendor Advisory: https://github.com/open5gs/open5gs/releases

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Stop Open5GS MME service. 3. Update to Open5GS version 2.6.5 or later. 4. Restart Open5GS MME service. 5. Verify service is running correctly.

🔧 Temporary Workarounds

Network Segmentation

Linux

Restrict S1AP interface access to trusted eNodeBs only using firewall rules

iptables -A INPUT -p sctp --dport 36412 -s trusted_enodeb_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit S1AP interface exposure
Deploy monitoring and automated restart mechanisms for MME service

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs-mmed --version. If version <= 2.6.4 and S1AP interface is exposed, system is vulnerable.

Check Version:

open5gs-mmed --version

Verify Fix Applied:

Verify version is 2.6.5 or later and test MME functionality with legitimate S1AP traffic.

📡 Detection & Monitoring

Log Indicators:

MME process crashes
Assertion failures in logs
Repeated service restarts
S1AP protocol errors

Network Indicators:

Malformed S1AP packets
Multiple Path Switch Request messages from single source
Unusual SCTP traffic patterns on port 36412

SIEM Query:

source="open5gs.logs" AND ("assertion" OR "crash" OR "S1AP error")

📊 Metadata

CVE ID: CVE-2023-37015

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.1% exploit probability (27.8th percentile)

Published: January 22, 2025

Last Updated: April 22, 2025

🔗 References

https://cellularsecurity.org/ransacked Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37015, you might also want to check these: