CVE-2023-37022
📋 TL;DR
Open5GS MME versions up to 2.6.4 contain a reachable assertion vulnerability in the UE Context Release Request packet handler. An attacker can send specially crafted packets with invalid MME_UE_S1AP_ID fields to crash the service, causing denial of service. This affects all deployments running vulnerable Open5GS MME software.
💻 Affected Systems
- Open5GS MME
📦 What is this software?
Open5gs by Open5gs
⚠️ Risk & Real-World Impact
Worst Case
Sustained denial of service causing complete unavailability of mobile network services in affected areas
Likely Case
Service disruption and instability requiring manual restart of MME components
If Mitigated
Limited service impact with quick failover to redundant systems
🎯 Exploit Status
Requires ability to send S1AP packets to MME interface; no authentication needed for the packet itself
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.5 or later
Vendor Advisory: https://github.com/open5gs/open5gs/releases
Restart Required: Yes
Instructions:
1. Update Open5GS to version 2.6.5 or later. 2. Restart the MME service. 3. Verify the service is running correctly.
🔧 Temporary Workarounds
Network segmentation
allRestrict access to MME S1AP interface to trusted eNodeBs only
Rate limiting
allImplement network-level rate limiting on S1AP packets
🧯 If You Can't Patch
- Implement strict network access controls to MME interfaces
- Deploy redundant MME instances with automatic failover
🔍 How to Verify
Check if Vulnerable:
Check Open5GS version: open5gs-mmed --versionCheck Version:
open5gs-mmed --versionVerify Fix Applied:
Confirm version is 2.6.5 or later and monitor for crash events📡 Detection & Monitoring
Log Indicators:
- MME process crashes
- Assertion failures in logs
- UE Context Release Request errors
Network Indicators:
- Unusual volume of UE Context Release Request packets
- Packets with malformed MME_UE_S1AP_ID
SIEM Query:
source="open5gs.log" AND ("assertion" OR "crash" OR "UE Context Release Request")