CVE-2023-37021

Name of the Vulnerable Software and Affected Versions Open5GS MME version 2.6.4 and earlier

Description The issue allows an attacker to send a UE Context Modification Failure message without the required MME UE S1AP ID field, which can cause the MME to crash repeatedly, resulting in denial of service. This can be achieved by sending a malformed ASN.1 packet over the S1AP interface.

Recommendations For Open5GS MME version 2.6.4 and earlier, consider disabling the S1AP interface or restricting access to it until a patch is available. As a temporary workaround, implement measures to detect and prevent malformed ASN.1 packets from being processed by the MME.