CVE-2024-34235
Published: 22 January 2025
Description
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send an `Initial UE Message` missing a required `NAS_PDU` field to repeatedly crash the MME, resulting in denial of service.
Security Summary
CVE-2024-34235 affects Open5GS Mobility Management Entity (MME) versions up to and including 2.6.4. The vulnerability stems from an assertion failure that can be remotely triggered by a malformed ASN.1 packet transmitted over the S1AP interface. Specifically, an attacker can send an Initial UE Message lacking the required NAS_PDU field, causing the MME to crash and resulting in a denial-of-service condition. This issue is classified under CWE-617 (Reachable Assertion) and carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).
Any remote attacker can exploit this vulnerability without authentication or privileges, as it requires only network access and low complexity to craft and send the malformed packet. By repeatedly transmitting the Initial UE Message without the NAS_PDU field, the attacker can crash the MME process multiple times, leading to sustained denial of service that disrupts core network functions reliant on the MME, such as UE attachment and mobility management. The changed scope (S:C) amplifies the impact across the system's availability.
Mitigation details and patches are outlined in the advisory available at https://cellularsecurity.org/ransacked. Security practitioners should consult this reference for upgrade guidance and workarounds to address the vulnerability in affected Open5GS deployments.
Details
- CWE(s)