CVE-2023-36998
Published: 22 January 2025
Description
The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to overwrite the stack with arbitrary bytes. An attacker with a cellphone connection to any base station managed by the MME may exploit this vulnerability without having to authenticate with the LTE core.
Security Summary
CVE-2023-36998 is a stack-based buffer overflow vulnerability (CWE-121) in the Emergency Number List decoding method of NextEPC MME versions up to and including 1.0.1. The flaw allows an attacker to send a NAS message with an oversized Emergency Number List value, causing the MME to overwrite the stack with arbitrary bytes. It has a CVSS v3.1 base score of 8.9 (AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H) and was published on 2025-01-22.
An attacker with a cellphone connection to any base station managed by the affected MME can exploit this vulnerability without authenticating to the LTE core. By crafting and transmitting a malicious NAS message, the attacker can trigger the buffer overflow, potentially achieving arbitrary code execution, integrity violations, or denial of service on the MME, given the high impact on integrity and availability alongside scoped confidentiality effects.
Mitigation involves updating to the fixed commit a8492c9c5bc0a66c6999cb5a263545b32a4109df. Additional details are available in advisories at http://nextepc.com and https://cellularsecurity.org/ransacked.
Details
- CWE(s)