P1-Aji

**Name of the Vulnerable Software and Affected Versions** Ella Core versions prior to 1.6.0 **Description** Ella Core, a 5G core designed for private networks, experiences a panic when processing NGAP messages containing invalid PDU Session IDs outside the range of 1-15. An attacker capable of sending specially crafted NGAP messages to Ella Core can cause a process crash, leading to service disruption for all connected subscribers. No authentication is required to exploit this issue. The vulnerability is related to insufficient validation of PDU Session IDs during NGAP message handling. **Recommendations** Update to version 1.6.0 or later, which includes PDU Session ID validations during NGAP message handling.

**Name of the Vulnerable Software and Affected Versions** Ella Core versions prior to 1.6.0 **Description** Ella Core, a 5G core designed for private networks, experiences a panic when processing a malformed NGAP LocationReport message. Specifically, the issue occurs with the `ue-presence-in-area-of-interest` event type when the optional `UEPresenceInAreaOfInterestList` IE is omitted. An attacker can exploit this by sending crafted NGAP messages to Ella Core, leading to a process crash and service disruption for all connected subscribers. No authentication is required for exploitation. The issue is related to the handling of NGAP messages and the absence of proper IE presence verification. **Recommendations** Update to version 1.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Ella Core versions prior to 1.6.0 **Description** Ella Core, a 5G core designed for private networks, experiences a panic when processing improperly formatted UL NAS Transport NAS messages that lack a Request Type. An attacker can exploit this by sending specially crafted NAS messages to Ella Core, leading to a process crash and service disruption for all connected subscribers. This does not require authentication. The issue occurs when receiving an UL NAS Message without a Request Type and no SM Context. **Recommendations** Update to version 1.6.0 or later.

**Name of the Vulnerable Software and Affected Versions** Ella Core versions prior to 1.5.1 **Description** Ella Core is a 5G core designed for private networks. Prior to version 1.5.1, the software experiences a panic when processing a malformed integrity-protected NGAP/NAS message with a length less than 7 bytes. An attacker capable of sending crafted NAS messages to Ella Core can cause the process to crash, resulting in service disruption for all connected subscribers. No authentication is required for exploitation. The issue involves processing messages via the `InitialUEMessage` and affects the AMF component. The vulnerability is related to insufficient length verification during NAS message handling. **Recommendations** Update Ella Core to version 1.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** Ella Core versions prior to 1.5.1 **Description** Ella Core is a 5G core designed for private networks. The software experiences a panic, leading to a denial of service, when processing a `PathSwitchRequest` containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings. An attacker capable of sending crafted NGAP messages to Ella Core can disrupt service for all connected subscribers. No authentication is required for exploitation. The issue stems from a lack of length validation on NR algorithm bitstrings before they are accessed within the `PathSwitchRequest` handler. **Recommendations** Versions prior to 1.5.1 should be updated to version 1.5.1 or later.