CVE-2023-37015
Published: 22 January 2025
Summary
CVE-2023-37015 is a high-severity Reachable Assertion (CWE-617) vulnerability in Open5Gs Open5Gs. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2023-37015 is a vulnerability in Open5GS MME versions up to and including 2.6.4, where an assertion failure can be remotely triggered by a malformed ASN.1 packet over the S1AP interface. The issue stems from sending a Path Switch Request message that lacks the required MME_UE_S1AP_ID field, causing the MME to crash. It is classified under CWE-617 with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), highlighting its critical availability impact.
An unauthenticated attacker with network access to the S1AP interface can exploit this vulnerability by transmitting the malformed Path Switch Request, repeatedly crashing the MME and causing a denial of service. No privileges, user interaction, or special conditions are required beyond network reachability, and the changed scope amplifies the potential disruption to the affected 5G core network component.
Mitigation details are available in the advisory published at https://cellularsecurity.org/ransacked, which was referenced alongside the CVE disclosure on 2025-01-22.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-40935
Vulnerability details
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a `Path Switch Request` message missing a required `MME_UE_S1AP_ID` field to repeatedly crash the…
more
MME, resulting in denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Malformed S1AP packet triggers remote assertion failure and MME crash, directly enabling application/system DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates malformed ASN.1 Path Switch Request packets over S1AP to ensure required MME_UE_S1AP_ID field is present, preventing the assertion failure and MME crash.
Provides denial-of-service protection against repeated transmission of malformed S1AP packets that crash the MME, limiting attack impact on availability.
Ensures error handling for missing required fields in S1AP messages does not disclose information or cause exploitable crashes in the MME.