Full Report
A group of academics has disclosed details of over 100 security vulnerabilities impacting LTE and 5G implementations that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network. The 119 vulnerabilities, assigned 97 unique CVE identifiers, span seven LTE implementations – Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC,
Analysis Summary
As a vulnerability research specialist, here is the summary of the disclosed security flaws, structured for clarity and actionability.
# Vulnerability: Over 100 Flaws in LTE and 5G RAN Implementations (RANsacked)
## CVE Details
- **CVE ID:** The article states **97 unique CVE identifiers** were assigned, but specific IDs and associated CVSS scores are not provided in this summary context.
- **CVSS Score:** Not specified.
- **CWE:** Buffer overflows and memory corruption errors were identified.
## Affected Systems
- **Products:** Numerous open-source and commercial LTE/5G implementations were affected.
- **LTE Implementations (7):** Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN.
- **5G Implementations (3):** Open5GS, Magma, OpenAirInterface.
- **Versions:** Not specified. The findings generally cover the implementations available for testing at the time of the research.
- **Configurations:** Vulnerabilities were tested against **RAN-Core interfaces** that receive input directly from mobile handsets and base stations.
## Vulnerability Description
Researchers discovered over 100 vulnerabilities (97 unique CVEs) across seven LTE and three 5G network core implementations (including Open5GS, Magma, and OpenAirInterface). The flaws were found by fuzzing the Radio Access Network (RAN)-Core communication interfaces.
Many of these flaws manifest as **buffer overflows and memory corruption errors**. Crucially, the vulnerabilities allow an attacker to cause persistent disruption to all cellular communications (calls, data, messaging) at a city-wide level by continuously crashing the **Mobility Management Entity (MME in LTE)** or the **Access and Mobility Management Function (AMF in 5G)**.
The attack vector is particularly severe as it can be executed by sending a single, small data packet over the network as an **unauthenticated user** (no SIM card required). Successful exploitation of other memory corruption flaws could lead to gaining a foothold into the cellular core network, allowing for subscriber monitoring (location/connection info) and targeted subscriber attacks.
## Exploitation
- **Status:** The description implies potential for active disruption ("can be used to persistently disrupt all cellular communications"). Availability of PoCs is suggested by the mention of the fuzzing tool used.
- **Complexity:** Described as relatively low, as an attacker can cause widespread service disruption by sending a single small packet as an unauthenticated user.
- **Attack Vector:** Primarily **Network** (input received over the radio access interface).
## Impact
The inherent nature of these flaws suggests severe impact across all metrics:
- **Confidentiality:** High potential; exploitation could lead to monitoring cell phone location and connection information for all subscribers.
- **Integrity:** High potential; exploitation could lead to targeted attacks on specific subscribers or manipulation of network functions.
- **Availability:** Critical; confirmed ability to cause persistent, city-wide disruption of all cellular service by crashing MME/AMF functions.
## Remediation
### Patches
Specific patch information per CVE or vendor is **not provided** in this summary, as the article only details the discovery. Vendors involved would need to release corresponding security updates for their specific software versions (Open5GS, Magma, etc.).
### Workarounds
No specific workarounds are detailed, but given the nature of the flaw (exploitable via unauthenticated network input crashing core functions), immediate mitigation focuses on **network hardening and input validation enforcement** at the RAN-Core interface boundary, pending official patches.
## Detection
- **Indicators of Compromise (IOCs):** Unexplained, repeated crashes or restarts of MME or AMF functions are major indicators.
- **Detection Methods and Tools:** Detection should focus on monitoring the traffic entering the RAN-Core interfaces for malformed or anomalous packets, especially those directed at MME/AMF processes originating from unauthenticated sources. The research utilized a fuzzing exercise named **RANsacked** coupled with a tool called **asnfuzzgen**.
## References
- Research Findings (Contains CVEs/Details): hxxps://cellularsecurity.org/ransacked
- Fuzzing Tool Used: hxxps://github.com/FICS/asnfuzzgen
- Vendor Advisories: Not explicitly listed, but necessary actions should be directed to the maintainers of Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, and srsRAN.