Login Sign Up

CVE-2023-37016

8.6 HIGH
Denial of Service

📋 TL;DR

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial of service attacks. Attackers can send malformed ASN.1 packets over the S1AP interface to crash the MME service repeatedly. This affects all deployments running Open5GS MME versions 2.6.4 and earlier.

💻 Affected Systems

Products:
  • Open5GS MME
Versions: <= 2.6.4
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using the vulnerable Open5GS MME component are affected regardless of configuration.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained MME crashes leading to complete cellular network service disruption in the affected area, preventing all voice, data, and SMS services for subscribers.

🟠

Likely Case

Intermittent service outages affecting subscriber connectivity and call drops as MME restarts, potentially causing service degradation across multiple base stations.

🟢

If Mitigated

Limited impact with quick MME restart recovery, but still causing brief service interruptions and potential signaling congestion.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires sending specially crafted S1AP packets, which requires network access to the MME interface but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.5 or later

Vendor Advisory: https://github.com/open5gs/open5gs/security/advisories

Restart Required: Yes

Instructions:

1. Update Open5GS to version 2.6.5 or later. 2. Restart the MME service. 3. Verify the service is running correctly.

🔧 Temporary Workarounds

Network Segmentation

Linux

Restrict access to S1AP interface (port 36412) to trusted eNodeBs only using firewall rules.

iptables -A INPUT -p sctp --dport 36412 -s <trusted_eNodeB_IP> -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit S1AP interface exposure to only authorized eNodeBs.
  • Deploy intrusion detection systems to monitor for malformed S1AP packets and alert on MME crash events.

🔍 How to Verify

Check if Vulnerable:

Check Open5GS version: open5gs-mmed --version. If version is 2.6.4 or earlier, system is vulnerable.

Check Version:

open5gs-mmed --version

Verify Fix Applied:

After patching, verify version is 2.6.5 or later and monitor MME logs for stability over 24 hours.

📡 Detection & Monitoring

Log Indicators:

  • MME process crashes/restarts in system logs
  • Assertion failures in Open5GS logs mentioning ASN.1 parsing
  • Repeated 'UE Context Modification Response' errors

Network Indicators:

  • Unusual S1AP traffic patterns from non-trusted sources
  • High volume of malformed S1AP packets
  • SCTP connection attempts to port 36412 from unexpected IPs

SIEM Query:

source="open5gs.log" AND ("assertion" OR "crash" OR "UE Context Modification Response")

📊 Metadata

CVE ID: CVE-2023-37016
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CWE: CWE-617
EPSS Score: 0.1% exploit probability (27.8th percentile)
Published: January 22, 2025
Last Updated: April 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37016, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)
CVE-2023-37018 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion vulnerability via malforme...

Same vulnerability type (CWE-617)