CVE-2023-37027 – A null pointer dereference vulnerability in Mag... (How to Fix)

Q: How do I fix CVE-2023-37027?

1. Update Magma to version 1.9 or later. 2. Restart the MME service. 3. Verify the fix by checking the version and monitoring for crashes.

Q: What is the severity of CVE-2023-37027?

CVE-2023-37027 has a CVSS score of 6.5 (MEDIUM). A null pointer dereference vulnerability in Magma's Mobile Management Entity (MME) allows network-adjacent attackers to crash the MME service by sending a malformed S1AP packet. This affects Magma versions up to 1.8.0, potentially disrupting cellular network connectivity for users served by vulnerable MME instances.

📋 TL;DR

A null pointer dereference vulnerability in Magma's Mobile Management Entity (MME) allows network-adjacent attackers to crash the MME service by sending a malformed S1AP packet. This affects Magma versions up to 1.8.0, potentially disrupting cellular network connectivity for users served by vulnerable MME instances.

💻 Affected Systems

Products:

Magma

Versions: <= 1.8.0

Operating Systems: Linux-based systems running Magma

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects MME component of Magma; requires network access to the S1AP interface.

📦 What is this software?

Magma by Linuxfoundation

View all CVEs affecting Magma →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete MME service crash leading to denial of service for all users in affected cellular network area, requiring manual restart of the MME service.

🟠

Likely Case

Service disruption affecting cellular connectivity in the impacted network segment until MME is restarted.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring allowing quick detection and recovery.

🌐 Internet-Facing: LOW - Requires network adjacency to cellular infrastructure, not directly internet-accessible.

🏢 Internal Only: MEDIUM - Attackers with access to the cellular network infrastructure could exploit this to cause service disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specifically crafted S1AP packet to the MME interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9 (commit 08472ba98b8321f802e95f5622fa90fec2dea486)

Vendor Advisory: https://cellularsecurity.org/ransacked

Restart Required: Yes

Instructions:

1. Update Magma to version 1.9 or later. 2. Restart the MME service. 3. Verify the fix by checking the version and monitoring for crashes.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to S1AP interface to trusted network segments only

iptables -A INPUT -p sctp --dport 36412 -s trusted_network -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit S1AP interface exposure
Deploy monitoring and alerting for MME service crashes with automated restart capabilities

🔍 How to Verify

Check if Vulnerable:

Check Magma version: if <= 1.8.0 and MME service is running, system is vulnerable

Check Version:

magma version | grep -i version

Verify Fix Applied:

Verify Magma version is >= 1.9 and monitor MME service for stability

📡 Detection & Monitoring

Log Indicators:

MME service crash logs
Segmentation fault errors in MME logs
Unexpected service restarts

Network Indicators:

Malformed S1AP packets with missing eNB_UE_S1AP_ID field
Unusual S1AP traffic patterns

SIEM Query:

source="magma_mme.log" AND ("segmentation fault" OR "null pointer" OR "crash")

📊 Metadata

CVE ID: CVE-2023-37027

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.13% exploit probability (33th percentile)

Published: January 21, 2025

Last Updated: March 18, 2025

🔗 References

https://cellularsecurity.org/ransacked Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37027, you might also want to check these: