CVE-2023-37017 – Open5GS MME versions up to 2.6.4 contain a remo... (How to Fix)

Q: How do I fix CVE-2023-37017?

1. Download Open5GS version 2.6.5 or later from GitHub. 2. Replace vulnerable MME component. 3. Verify S1AP interface functionality.

Q: What is the severity of CVE-2023-37017?

CVE-2023-37017 has a CVSS score of 8.6 (HIGH). Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packets on the S1AP interface. Attackers can send S1Setup Request messages missing the Global eNB ID field to repeatedly crash the MME, causing denial of service. This affects cellular network operators using vulnerable Open5GS deployments.

📋 TL;DR

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packets on the S1AP interface. Attackers can send S1Setup Request messages missing the Global eNB ID field to repeatedly crash the MME, causing denial of service. This affects cellular network operators using vulnerable Open5GS deployments.

💻 Affected Systems

Products:

Open5GS MME

Versions: <= 2.6.4

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using default S1AP interface configuration are vulnerable.

📦 What is this software?

Open5gs by Open5gs

View all CVEs affecting Open5gs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sustained MME crashes leading to complete cellular service disruption in affected areas, preventing voice calls, SMS, and data services for subscribers.

🟠

Likely Case

Intermittent service outages and degraded network performance as MME restarts repeatedly under attack.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring allowing quick detection and response.

🌐 Internet-Facing: MEDIUM - S1AP interface typically not directly internet-facing but could be exposed in some deployments.

🏢 Internal Only: HIGH - Attack can be launched from within the mobile operator's network or from compromised eNBs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires knowledge of S1AP protocol and ability to send malformed packets to MME interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.5

Vendor Advisory: https://github.com/open5gs/open5gs/releases/tag/v2.6.5

Restart Required: No

Instructions:

1. Download Open5GS version 2.6.5 or later from GitHub. 2. Replace vulnerable MME component. 3. Verify S1AP interface functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict S1AP interface access to trusted eNBs only using firewall rules.

iptables -A INPUT -p sctp --dport 36412 -s trusted_eNB_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit S1AP interface exposure.
Deploy intrusion detection systems monitoring for malformed S1AP packets.

🔍 How to Verify

Check if Vulnerable:

Check Open5GS MME version: open5gs-mmed --version

Check Version:

open5gs-mmed --version

Verify Fix Applied:

Verify version is 2.6.5 or higher and monitor for assertion failures in logs.

📡 Detection & Monitoring

Log Indicators:

MME assertion failures
S1AP protocol parsing errors
MME process restarts

Network Indicators:

Unusual S1Setup Request patterns
S1AP packets missing required fields

SIEM Query:

source="open5gs.log" AND ("assertion" OR "S1AP" OR "Global eNB ID")

📊 Metadata

CVE ID: CVE-2023-37017

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-617

EPSS Score: 0.1% exploit probability (27.8th percentile)

Published: January 22, 2025

Last Updated: April 22, 2025

🔗 References

https://cellularsecurity.org/ransacked Exploit,Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37017, you might also want to check these: