CVE-2024-24416 Overview
CVE-2024-24416 is a buffer overflow vulnerability in Linux Foundation Magma versions 1.8.0 and earlier. The flaw resides in the decode_access_point_name_ie function located at /3gpp/3gpp_24.008_sm_ies.c. Attackers can trigger the vulnerability by sending a crafted Non-Access Stratum (NAS) packet to the affected component. Successful exploitation causes a Denial of Service (DoS) condition on the Magma core network. The issue was remediated in version 1.9 via commit 08472ba98b8321f802e95f5622fa90fec2dea486. The vulnerability is classified under [CWE-120] (Buffer Copy without Checking Size of Input).
Critical Impact
Remote, unauthenticated attackers can disrupt Magma cellular core network services by sending malformed NAS packets, impacting availability of mobile network functions.
Affected Products
- Linux Foundation Magma versions up to and including 1.8.0
- Magma component 3gpp_24.008_sm_ies.c (decode_access_point_name_ie function)
- Fixed in Magma v1.9 (commit 08472ba98b8321f802e95f5622fa90fec2dea486)
Discovery Timeline
- 2025-01-21 - CVE-2024-24416 published to NVD
- 2025-03-15 - Last updated in NVD database
Technical Details for CVE-2024-24416
Vulnerability Analysis
Magma is an open-source mobile packet core platform maintained under the Linux Foundation. It implements 3GPP protocols for LTE and 5G non-standalone deployments. The decode_access_point_name_ie function parses the Access Point Name (APN) Information Element within NAS Session Management messages defined by 3GPP TS 24.008. The function fails to validate the length of incoming APN data against the destination buffer size, resulting in a buffer overflow when oversized values are decoded.
Root Cause
The root cause is missing bounds checking during NAS message decoding in /3gpp/3gpp_24.008_sm_ies.c. The decoder copies attacker-controlled length fields from the APN IE into a fixed-size buffer without enforcing the protocol-defined maximum. This pattern aligns with [CWE-120], where input length is trusted without validation.
Attack Vector
An unauthenticated remote attacker delivers a crafted NAS packet to the Magma Mobility Management Entity (MME) component. When the decoder processes the malformed APN IE, the overflow corrupts adjacent memory and crashes the process. Because Magma serves as the cellular core, a crash disrupts mobile data services for all attached subscribers. No user interaction or privileges are required to trigger the condition.
No public proof-of-concept code is currently available. Refer to the Cellular Security Analysis advisory for additional protocol-level technical detail.
Detection Methods for CVE-2024-24416
Indicators of Compromise
- Unexpected crashes or restarts of the Magma MME or session management processes
- Core dumps referencing decode_access_point_name_ie or 3gpp_24.008_sm_ies.c
- Surge in malformed NAS Session Management messages from a single S1AP peer or eNodeB
- Subscriber session establishment failures coinciding with NAS decoding errors in logs
Detection Strategies
- Inspect NAS PDUs at the S1-MME interface for APN IE length fields exceeding the 3GPP maximum of 100 octets
- Monitor Magma process health metrics for abnormal restart loops or memory faults
- Correlate eNodeB-originated S1AP traffic with NAS parser errors to identify malicious sources
Monitoring Recommendations
- Forward Magma application logs and core network telemetry to a centralized SIEM for parsing error analysis
- Track NAS message decode failure rates and alert on statistically significant spikes
- Capture packet metadata on the S1-MME interface to support post-incident reconstruction
How to Mitigate CVE-2024-24416
Immediate Actions Required
- Upgrade Magma to version 1.9 or later containing commit 08472ba98b8321f802e95f5622fa90fec2dea486
- Restrict S1-MME interface access to authorized eNodeBs using network segmentation and firewall rules
- Audit Magma deployments to confirm no production instance runs version 1.8.0 or earlier
Patch Information
The vulnerability is fixed in Magma v1.9 via commit 08472ba98b8321f802e95f5622fa90fec2dea486. Operators running affected builds should rebuild from the patched source or deploy an updated container image incorporating the fix. Review the Cellular Security Analysis reference for related findings affecting cellular core implementations.
Workarounds
- Deploy NAS-aware filtering at the S1-MME boundary to drop APN IEs exceeding protocol-defined length limits
- Enforce strict allow-listing of trusted eNodeB peers connecting to the Magma core
- Enable process supervision and automatic restart policies to reduce service downtime if a crash occurs
# Example: pin Magma deployments to the patched commit
git clone https://github.com/magma/magma.git
cd magma
git checkout 08472ba98b8321f802e95f5622fa90fec2dea486
# Rebuild and redeploy affected MME components
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
