CVE-2024-24429: Open5GS DoS Vulnerability via NGAP Packet

CVE-2024-24429 Overview

CVE-2024-24429 is a reachable assertion vulnerability in Open5GS, an open source implementation of 5G Core and EPC components. The flaw resides in the nas_eps_send_emm_to_esm function and affects versions up to and including 2.6.4. Remote attackers can trigger the assertion by sending a crafted NGAP (Next Generation Application Protocol) packet, causing the process to abort and producing a Denial of Service (DoS) condition. The issue is classified under [CWE-617] Reachable Assertion. Public research on this and related Open5GS issues is documented in the RANsacked cellular security analysis.

Critical Impact
An unauthenticated network attacker can crash Open5GS core network components by sending a single malformed NGAP packet, disrupting mobile network signaling and subscriber connectivity.

Affected Products

Open5GS versions up to and including 2.6.4
Open5GS MME component handling NAS/EPS signaling
Deployments exposing NGAP endpoints to untrusted networks

Discovery Timeline

2025-01-22 - CVE-2024-24429 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-24429

Vulnerability Analysis

Open5GS implements the Mobility Management Entity (MME) and related core network functions in C. The nas_eps_send_emm_to_esm function passes EPS Mobility Management (EMM) messages to the EPS Session Management (ESM) layer. The function contains an assertion that validates internal state or message fields before processing. When an attacker delivers a crafted NGAP packet that violates this assumption, the assertion fails and the process aborts.

The vulnerability requires no authentication and no user interaction. Exploitation occurs over the network against the signaling interface, and a successful trigger terminates the affected daemon. Operators relying on Open5GS for lab, research, or production mobile core deployments lose subscriber attach and bearer management capabilities until the service restarts.

Root Cause

The root cause is an assertion used as a runtime invariant check on attacker-controlled input paths. Assertions are intended for impossible internal states, not for validating untrusted protocol fields. Because NGAP payload contents reach the assertion without prior sanitization, an attacker can deterministically force assert() to fail and call abort().

Attack Vector

The attack vector is network-based against the NGAP interface that Open5GS exposes to gNB/eNB peers. An attacker with reachability to this signaling interface sends a crafted NGAP message whose embedded NAS payload steers execution into nas_eps_send_emm_to_esm with field values that violate the assertion. No credentials, session, or prior attach state is required. The result is immediate termination of the Open5GS process and loss of core network availability.

No verified public proof-of-concept code is available. The vulnerability mechanism is described in the RANsacked cellular security analysis.

Detection Methods for CVE-2024-24429

Indicators of Compromise

Unexpected termination or repeated restarts of the Open5GS MME process accompanied by assert or abort entries in system logs.
Core dump files generated by Open5GS components after receipt of NGAP traffic.
Loss of subscriber attach, paging, or bearer setup operations correlated with inbound NGAP messages from unexpected peers.

Detection Strategies

Inspect Open5GS logs for assertion failure messages referencing nas_eps_send_emm_to_esm or NAS/EMM processing paths.
Monitor process supervisors (systemd, container orchestrators) for abnormal restart counts on Open5GS daemons.
Capture and analyze NGAP traffic on the S1/N2 interface for malformed or non-conformant message structures originating from non-trusted endpoints.

Monitoring Recommendations

Alert on any Open5GS service crash or unplanned restart within the mobile core environment.
Track NGAP peer connections and reject sessions from gNB/eNB addresses that are not explicitly allowlisted.
Correlate signaling-plane anomalies with subscriber-plane impact to identify targeted denial of service attempts.

How to Mitigate CVE-2024-24429

Immediate Actions Required

Upgrade Open5GS to a release later than 2.6.4 that addresses the reachable assertion in nas_eps_send_emm_to_esm.
Restrict NGAP and S1AP interface exposure to authenticated, allowlisted gNB/eNB peers using network ACLs or IPsec.
Place Open5GS components under a process supervisor with rate-limited restart policies to limit downtime if the assertion fires.

Patch Information

Update to a fixed Open5GS release after version 2.6.4. Review the Open5GS project release notes and the RANsacked cellular security analysis for affected functions and remediation context.

Workarounds

Terminate NGAP traffic only from trusted radio access network elements and drop all other inbound signaling at the perimeter.
Deploy IPsec or private transport between gNB/eNB and the Open5GS core to prevent off-path injection of crafted NGAP packets.
Run Open5GS components in redundant configurations so that a single process abort does not eliminate core network availability.

bash

# Example: restrict NGAP/SCTP access to known RAN peers using nftables
nft add table inet open5gs
nft add chain inet open5gs input { type filter hook input priority 0 \; policy drop \; }
nft add rule inet open5gs input ip saddr { 10.0.0.0/24 } ip protocol sctp accept
nft add rule inet open5gs input ct state established,related accept