CVE-2023-37035 – A null pointer dereference vulnerability in Mag... (How to Fix)

Q: How do I fix CVE-2023-37035?

1. Update Magma to version 1.9.0 or later. 2. Apply commit 08472ba98b8321f802e95f5622fa90fec2dea486 if using source. 3. Restart the MME service after patching.

Q: What is the severity of CVE-2023-37035?

CVE-2023-37035 has a CVSS score of 6.5 (MEDIUM). A null pointer dereference vulnerability in Magma's Mobile Management Entity (MME) allows network-adjacent attackers to crash the MME service by sending a malformed S1AP S1Setup Request packet missing the Global eNB ID field. This causes denial of service for cellular network users. Organizations running Magma core networks with versions up to 1.8.0 are affected.

📋 TL;DR

A null pointer dereference vulnerability in Magma's Mobile Management Entity (MME) allows network-adjacent attackers to crash the MME service by sending a malformed S1AP S1Setup Request packet missing the Global eNB ID field. This causes denial of service for cellular network users. Organizations running Magma core networks with versions up to 1.8.0 are affected.

💻 Affected Systems

Products:

Magma Core Network

Versions: All versions <= 1.8.0

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the MME component of Magma. Requires network adjacency to the MME's S1 interface.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete MME service crash leading to cellular service outage for all users in the affected area, requiring manual restart of the MME component.

🟠

Likely Case

Service disruption affecting cellular connectivity for users served by the crashed MME instance until automatic or manual recovery occurs.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery from the crash.

🌐 Internet-Facing: LOW - The vulnerability requires network-adjacent access to the MME's S1 interface, which is typically not directly internet-facing in cellular network architectures.

🏢 Internal Only: HIGH - Attackers with access to the internal cellular network (e.g., rogue base stations, compromised network elements) can exploit this to cause service disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a specifically crafted S1AP packet but does not require authentication. Attackers need network access to the MME's S1 interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.0 (commit 08472ba98b8321f802e95f5622fa90fec2dea486)

Vendor Advisory: https://cellularsecurity.org/ransacked

Restart Required: Yes

Instructions:

1. Update Magma to version 1.9.0 or later. 2. Apply commit 08472ba98b8321f802e95f5622fa90fec2dea486 if using source. 3. Restart the MME service after patching.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict access to the MME's S1 interface to only trusted eNodeBs using firewall rules.

iptables -A INPUT -p sctp --dport 36412 -s <trusted_eNB_IP> -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit S1 interface access to authorized eNodeBs only.
Deploy monitoring and alerting for MME service crashes with automated restart capabilities.

🔍 How to Verify

Check if Vulnerable:

Check Magma version: if <= 1.8.0, the system is vulnerable. Review MME logs for crashes after receiving S1Setup Request packets.

Check Version:

magma version | grep -i version

Verify Fix Applied:

Verify Magma version is >= 1.9.0 or includes commit 08472ba98b8321f802e95f5622fa90fec2dea486. Test with valid S1Setup Request packets.

📡 Detection & Monitoring

Log Indicators:

MME service crashes
Null pointer dereference errors in MME logs
Unexpected termination of mme process

Network Indicators:

Malformed S1AP S1Setup Request packets missing Global eNB ID field
Unusual SCTP traffic to MME port 36412

SIEM Query:

source="mme.log" AND ("null pointer" OR "segmentation fault" OR "crash")

📊 Metadata

CVE ID: CVE-2023-37035

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.14% exploit probability (33.5th percentile)

Published: January 21, 2025

Last Updated: January 22, 2025

🔗 References

https://cellularsecurity.org/ransacked

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37035, you might also want to check these: