CVE-2023-37013
Published: 22 January 2025
Summary
CVE-2023-37013 is a high-severity Reachable Assertion (CWE-617) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-37013 affects Open5GS MME versions up to and including 2.6.4. The vulnerability involves an assertion failure that can be remotely triggered by sending a sufficiently large ASN.1 packet over the S1AP interface. This causes the ogs_sctp_recvmsg routine to encounter an unexpected network state, resulting in a crash and denial of service. The issue is classified under CWE-617 (Reachable Assertion) with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
An unauthenticated remote attacker can exploit this vulnerability by repeatedly sending oversized ASN.1 packets over the S1AP interface. This triggers the assertion failure and crashes the MME component, leading to a denial of service. The CVSS vector indicates potential low-impact confidentiality and integrity effects alongside the availability impact, though the primary outcome described is service disruption.
Mitigation details and further advisories are available in the reference at https://cellularsecurity.org/ransacked.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40933
Vulnerability details
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a sufficiently large ASN.1 packet over the S1AP interface. An attacker may repeatedly send such an oversized packet to cause the `ogs_sctp_recvmsg` routine to reach an…
more
unexpected network state and crash, leading to denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of reachable assertion in exposed S1AP service directly enables application/system crash for DoS impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation addresses the specific assertion failure in Open5GS MME's ogs_sctp_recvmsg routine triggered by oversized S1AP ASN.1 packets.
Input validation rejects oversized or malformed ASN.1 packets over the S1AP interface before they cause the assertion failure and crash.
Denial-of-service protections such as rate limiting or maximum packet size enforcement on S1AP mitigate repeated oversized packet attacks leading to MME crashes.