Linux Foundation Magma

Magma MME Stack Buffer Overflow <1.8 via Oversized Emergency List
CVE-2023-37032 7.5 - High - January 21, 2025

A Stack-based buffer overflow in the Mobile Management Entity (MME) of Magma versions <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows remote attackers to crash the MME with an unauthenticated cellphone by sending a NAS packet containing an oversized `Emergency Number List` Information Element.

Memory Corruption

DoS via crafted NAS packet in Magma <=1.8.0 decode_linked_ti_ie
CVE-2024-24420 - January 21, 2025

A reachable assertion in the decode_linked_ti_ie function of Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.

Magma <=1.8.0 Type Confusion in nas_message_decode arbitrary code exec
CVE-2024-24421 - January 21, 2025

A type confusion in the nas_message_decode function of Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted NAS packet.

MME Assertion Crash in Magma <=1.8.0 via NAS EN IE
CVE-2023-37024 7.5 - High - January 21, 2025

A reachable assertion in the Mobile Management Entity (MME) of Magma versions <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows remote attackers to crash the MME with an unauthenticated cellphone by sending a NAS packet containing an `Emergency Number List` Information Element.

assertion failure

Null Ptr Deref in Magma MME <=1.8 via missing S1AP ResetType
CVE-2023-37025 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Reset` packet missing an expected `ResetType` field.

NULL Pointer Dereference

Null ptr deref in Magma MME <=1.8 via S1AP E-RAB Response
CVE-2023-37026 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `E-RAB Release Response` packet missing an expected `MME_UE_S1AP_ID` field.

NULL Pointer Dereference

Null Pointer Deref in Magma MME <1.8.0 via S1AP E-RAB Modification Indication
CVE-2023-37027 6.5 - Medium - January 21, 2025

Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `E-RAB Modification Indication` packet missing an expected `eNB_UE_S1AP_ID` field.

NULL Pointer Dereference

Null Ptr Deref in Magma MME (<=1.8.0) via S1AP E-RAB Mod Ind packet
CVE-2023-37028 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `E-RAB Modification Indication` packet missing an expected `eNB_UE_S1AP_ID` field.

NULL Pointer Dereference

Magma <=1.8.0 Assert Crash in MME via Oversized NAS Packet (DoS)
CVE-2023-37029 7.5 - High - January 21, 2025

Magma versions <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) are susceptible to an assertion-based crash when an oversized NAS packet is received. An attacker may leverage this behavior to repeatedly crash the MME via either a compromised base station or via an unauthenticated cellphone within range of a base station managed by the MME, causing a denial of service.

assertion failure

Magma MME Null Ptr Dref <1.8 Crash via S1AP Init UE Msg
CVE-2023-37030 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Initial UE Message` packet missing an expected `eNB_UE_S1AP_ID` field.

NULL Pointer Dereference

Magma MME Null-Pointer via S1AP eNB Config Transfer (1.8.0)
CVE-2023-37031 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `eNB Configuration Transfer` packet missing its required `Target eNB ID` field.

NULL Pointer Dereference

Magma <=1.8 Buffer Overflow in decode_esm_message_container (DoS) (fixed 1.9)
CVE-2024-24423 7.5 - High - January 21, 2025

The Linux Foundation Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) was discovered to contain a buffer overflow in the decode_esm_message_container function at /nas/ies/EsmMessageContainer.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.

Memory Corruption

Magma MME Null Pointer Deref. before 1.9 via S1AP Initial UE
CVE-2023-37033 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Initial UE Message` packet missing an expected `EUTRAN_CGI` field.

NULL Pointer Dereference

Magma MME Null Pointer Deref via S1AP missing TAI (1.8)
CVE-2023-37034 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Initial UE Message` packet missing an expected `TAI` field.

NULL Pointer Dereference

NPE in Magma MME <=1.8 via missing ENB_UE_S1AP_ID in S1AP Uplink
CVE-2023-37036 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Uplink NAS Transport` packet missing an expected `ENB_UE_S1AP_ID` field.

NULL Pointer Dereference

Null ptr deref in Magma MME <=1.8 via S1Setup Request
CVE-2023-37037 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `S1Setup Request` packet missing an expected `Supported TAs` field.

NULL Pointer Dereference

Null pointer deref in Magma MME (<=1.8.0) via S1AP Uplink NAS
CVE-2023-37038 6.5 - Medium - January 21, 2025

A Null pointer dereference vulnerability in the Mobile Management Entity (MME) in Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) allows network-adjacent attackers to crash the MME via an S1AP `Uplink NAS Transport` packet missing an expected `MME_UE_S1AP_ID` field.

NULL Pointer Dereference

Magma 1.8 Buffer Overflow in decode_access_point_name_ie (DoS)
CVE-2024-24416 7.5 - High - January 21, 2025

The Linux Foundation Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) was discovered to contain a buffer overflow in the decode_access_point_name_ie function at /3gpp/3gpp_24.008_sm_ies.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.

Classic Buffer Overflow

Magma <=1.8.0 Buf ovfl in decode_proto_config_opts Causing NAS DoS
CVE-2024-24417 7.5 - High - January 21, 2025

The Linux Foundation Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) was discovered to contain a buffer overflow in the decode_protocol_configuration_options function at /3gpp/3gpp_24.008_sm_ies.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.

Out-of-bounds Read

DoS via bufover in Magma <=1.8.0 PdnAddress.cpp
CVE-2024-24418 7.5 - High - January 21, 2025

The Linux Foundation Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) was discovered to contain a buffer overflow in the decode_pdn_address function at /nas/ies/PdnAddress.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.

Classic Buffer Overflow

Magma <=1.8.0 Buffer Overflow in DTFTPP (DoS via crafted NAS packet)
CVE-2024-24419 7.5 - High - January 21, 2025

The Linux Foundation Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) was discovered to contain a buffer overflow in the decode_traffic_flow_template_packet_filter function at /3gpp/3gpp_24.008_sm_ies.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.

Classic Buffer Overflow

Magma <=1.8.0 stack overflow in decode_protocol_configuration_options allows DoS
CVE-2024-24422 7.5 - High - January 21, 2025

The Linux Foundation Magma <= 1.8.0 (fixed in v1.9 commit 08472ba98b8321f802e95f5622fa90fec2dea486) was discovered to contain a stack overflow in the decode_protocol_configuration_options function at /3gpp/3gpp_24.008_sm_ies.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet.

Memory Corruption