CVE-2023-37039
📋 TL;DR
A null pointer dereference vulnerability in Magma's Mobile Management Entity (MME) allows network-adjacent attackers to crash the MME service by sending a malformed S1AP Initial UE Message packet missing the RRC Establishment Clause field. This affects Magma versions up to 1.8.0, potentially disrupting cellular network connectivity for users served by the affected MME.
💻 Affected Systems
- Magma
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for cellular network subscribers served by the affected MME, disrupting voice, data, and SMS services until service is restored.
Likely Case
Service disruption affecting a subset of users or intermittent MME crashes requiring manual intervention to restart the service.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery from crashes.
🎯 Exploit Status
Exploitation requires sending a specifically crafted S1AP packet to the vulnerable MME interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9 (commit 08472ba98b8321f802e95f5622fa90fec2dea486)
Vendor Advisory: https://cellularsecurity.org/ransacked
Restart Required: Yes
Instructions:
1. Update Magma to version 1.9 or later. 2. Apply commit 08472ba98b8321f802e95f5622fa90fec2dea486 if using source build. 3. Restart the MME service.
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to the MME's S1AP interface to only trusted network elements.
iptables -A INPUT -p sctp --dport 36412 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p sctp --dport 36412 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit S1AP interface exposure
- Deploy monitoring and alerting for MME service crashes with automated restart capabilities
🔍 How to Verify
Check if Vulnerable:
Check Magma version: if <= 1.8.0 and MME is running, system is vulnerable.Check Version:
magma version | grep -i versionVerify Fix Applied:
Verify Magma version is >= 1.9 or includes commit 08472ba98b8321f802e95f5622fa90fec2dea486.📡 Detection & Monitoring
Log Indicators:
- MME service crash logs
- Segmentation fault errors in MME logs
- Unexpected MME restarts
Network Indicators:
- Malformed S1AP packets to port 36412
- Unusual S1AP traffic patterns
SIEM Query:
source="magma_logs" AND ("segmentation fault" OR "null pointer" OR "MME crash")