CVE-2023-37013

HighPublic PoC

Published: 22 January 2025

Published

22 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0020 41.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a sufficiently large ASN.1 packet over the S1AP interface. An attacker may repeatedly send such an oversized packet to cause the `ogs_sctp_recvmsg` routine to reach an unexpected network state and crash, leading to denial of service.

Security Summary

CVE-2023-37013 affects Open5GS MME versions up to and including 2.6.4. The vulnerability involves an assertion failure that can be remotely triggered by sending a sufficiently large ASN.1 packet over the S1AP interface. This causes the ogs_sctp_recvmsg routine to encounter an unexpected network state, resulting in a crash and denial of service. The issue is classified under CWE-617 (Reachable Assertion) with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

An unauthenticated remote attacker can exploit this vulnerability by repeatedly sending oversized ASN.1 packets over the S1AP interface. This triggers the assertion failure and crashes the MME component, leading to a denial of service. The CVSS vector indicates potential low-impact confidentiality and integrity effects alongside the availability impact, though the primary outcome described is service disruption.

Mitigation details and further advisories are available in the reference at https://cellularsecurity.org/ransacked.

Details

CWE(s): CWE-617

Affected Products

open5gs

≤ 2.6.4

References

https://cellularsecurity.org/ransacked
Exploit, Technical Description, Third Party Advisory · cve@mitre.org