CVE-2023-37030
📋 TL;DR
A null pointer dereference vulnerability in Magma's Mobile Management Entity (MME) allows network-adjacent attackers to crash the MME service by sending a malformed S1AP Initial UE Message packet missing the eNB_UE_S1AP_ID field. This affects Magma installations up to version 1.8.0, potentially disrupting cellular network connectivity for users.
💻 Affected Systems
- Magma (Open-source mobile core network platform)
📦 What is this software?
Magma by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Complete MME service crash leading to denial of service for all users in the affected cellular network area, requiring manual restart of the MME component.
Likely Case
Service disruption affecting a subset of users as the MME crashes and potentially restarts automatically, causing temporary connectivity issues.
If Mitigated
Minimal impact with proper network segmentation and monitoring that detects and blocks malformed S1AP packets before they reach the MME.
🎯 Exploit Status
Exploitation requires sending a specifically crafted S1AP packet, which is straightforward for attackers with network access to the MME interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9 (specifically commit 08472ba98b8321f802e95f5622fa90fec2dea486)
Vendor Advisory: https://cellularsecurity.org/ransacked
Restart Required: Yes
Instructions:
1. Update Magma to version 1.9 or later. 2. Apply commit 08472ba98b8321f802e95f5622fa90fec2dea486 if using custom build. 3. Restart the MME service after update.
🔧 Temporary Workarounds
Network segmentation and ACLs
linuxRestrict access to MME S1AP interface to only trusted eNodeBs using network access control lists
# Example iptables rule to restrict S1AP port (38412) access
iptables -A INPUT -p sctp --dport 38412 -s trusted_enb_ip -j ACCEPT
iptables -A INPUT -p sctp --dport 38412 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MME from untrusted network segments
- Deploy network intrusion detection/prevention systems to detect and block malformed S1AP packets
🔍 How to Verify
Check if Vulnerable:
Check Magma version: if <= 1.8.0 and MME is running, system is vulnerable. Review logs for S1AP parsing errors or MME crashes.Check Version:
magma version | grep -i versionVerify Fix Applied:
Verify Magma version is >= 1.9 or includes commit 08472ba98b8321f802e95f5622fa90fec2dea486. Test with valid S1AP traffic to ensure MME remains stable.📡 Detection & Monitoring
Log Indicators:
- MME crash logs
- S1AP protocol parsing errors
- Null pointer exception in MME logs
- Service restart events
Network Indicators:
- Malformed S1AP packets missing eNB_UE_S1AP_ID field
- Unusual S1AP traffic from non-eNodeB sources
SIEM Query:
source="magma_mme.log" AND ("null pointer" OR "segmentation fault" OR "S1AP parsing error")