CVE-2023-36998
Published: 22 January 2025
Summary
CVE-2023-36998 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Nextepc (inferred from references). Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2023-36998 is a stack-based buffer overflow vulnerability (CWE-121) in the Emergency Number List decoding method of NextEPC MME versions up to and including 1.0.1. The flaw allows an attacker to send a NAS message with an oversized Emergency Number List value, causing the MME to overwrite the stack with arbitrary bytes. It has a CVSS v3.1 base score of 8.9 (AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H) and was published on 2025-01-22.
An attacker with a cellphone connection to any base station managed by the affected MME can exploit this vulnerability without authenticating to the LTE core. By crafting and transmitting a malicious NAS message, the attacker can trigger the buffer overflow, potentially achieving arbitrary code execution, integrity violations, or denial of service on the MME, given the high impact on integrity and availability alongside scoped confidentiality effects.
Mitigation involves updating to the fixed commit a8492c9c5bc0a66c6999cb5a263545b32a4109df. Additional details are available in advisories at http://nextepc.com and https://cellularsecurity.org/ransacked.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40918
Vulnerability details
The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to…
more
overwrite the stack with arbitrary bytes. An attacker with a cellphone connection to any base station managed by the MME may exploit this vulnerability without having to authenticate with the LTE core.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in MME NAS message processing enables remote code execution on network-exposed core component via crafted protocol messages from adjacent network.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of NAS message inputs like the Emergency Number List size to prevent stack-based buffer overflows from oversized values.
SI-16 implements memory protections such as stack canaries and ASLR to block successful stack overwrites even if invalid input reaches the decoder.
SI-2 ensures timely application of the specific patch (commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) to remediate the buffer overflow flaw in NextEPC MME.