CVE-2023-37014

Name of the Vulnerable Software and Affected Versions Open5GS MME versions <= 2.6.4

Description The issue concerns an assertion in Open5GS MME that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. An attacker may send a UE Context Release Request message missing a required MME UE S1AP ID field to repeatedly crash the MME, resulting in denial of service.

Recommendations For Open5GS MME versions <= 2.6.4, update to a version greater than 2.6.4 to resolve the issue. As a temporary workaround, consider restricting access to the S1AP interface to minimize the risk of exploitation. Avoid sending UE Context Release Request messages without the required MME UE S1AP ID field until the issue is resolved.