CVE-2023-37004

Name of the Vulnerable Software and Affected Versions Open5GS MME versions prior to 2.6.4

Description The issue allows an attacker to send a malformed ASN.1 packet over the S1AP interface, triggering an assertion that can cause a denial of service. Specifically, an attacker may send an "Initial Context Setup Response" message missing the required MME UE S1AP ID field, causing the MME to crash repeatedly.

Recommendations For versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the S1AP interface to minimize the risk of exploitation. Avoid processing Initial Context Setup Response messages missing the MME UE S1AP ID field until the issue is resolved.