CVE-2023-37024
📋 TL;DR
An unauthenticated remote attacker can crash the Mobile Management Entity (MME) in Magma cellular core networks by sending a specially crafted NAS packet containing an Emergency Number List Information Element. This affects all Magma deployments running versions 1.8.0 or earlier, potentially causing service disruption for mobile subscribers.
💻 Affected Systems
- Magma (Open-source mobile core network platform)
📦 What is this software?
Magma by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Complete MME service outage leading to denial of cellular service for all subscribers in the affected area, potentially cascading to other network elements.
Likely Case
MME crash causing temporary service disruption for mobile subscribers until automatic restart or manual intervention.
If Mitigated
Minimal impact if network segmentation prevents external access to MME interfaces and proper monitoring detects anomalous traffic patterns.
🎯 Exploit Status
The vulnerability requires sending a NAS packet with specific malformed content. While no public exploit exists, the technical details are documented in the reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9 (specifically commit 08472ba98b8321f802e95f5622fa90fec2dea486)
Vendor Advisory: https://cellularsecurity.org/ransacked
Restart Required: Yes
Instructions:
1. Update Magma to version 1.9 or later. 2. Apply commit 08472ba98b8321f802e95f5622fa90fec2dea486 if using custom builds. 3. Restart MME service after patching.
🔧 Temporary Workarounds
Network Segmentation
LinuxRestrict access to MME NAS interfaces to trusted base stations only using firewall rules.
iptables -A INPUT -p sctp --dport 36412 -s <trusted_base_station_ips> -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit NAS packet sources to authorized base stations only.
- Deploy intrusion detection systems to monitor for anomalous NAS packets and emergency number list patterns.
🔍 How to Verify
Check if Vulnerable:
Check Magma version: if <= 1.8.0, system is vulnerable. Review MME logs for assertion failures related to emergency number list processing.Check Version:
magma version | grep -i versionVerify Fix Applied:
Verify Magma version is >= 1.9 or includes commit 08472ba98b8321f802e95f5622fa90fec2dea486. Test with simulated NAS packets containing emergency number lists.📡 Detection & Monitoring
Log Indicators:
- MME assertion failures
- Emergency Number List parsing errors
- MME process crashes/restarts
Network Indicators:
- Unusual NAS packets from untrusted sources
- SCTP packets to port 36412 with emergency number list IE
SIEM Query:
source="mme.log" AND ("assertion" OR "emergency number" OR "crash")