-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04780 CVE: CVE-2024-24452, CVE-2024-24453, CVE-2024-24454, CVE-2024-24455, CVE-2024-24456, CVE-2024-24457, CVE-2024-24458, CVE-2024-24459 Publication Date: 2025-Jan-31 Status: Confirmed Severity: Medium Revision: 1 Title ===== HPE Athonet Core Multiple Vulnerabilities Overview ======== Multiple vulnerabilities have been publicly disclosed that could affect HPE Athonet Core products. Affected Products ================= These vulnerabilities affect the following HPE Athonet Core Software version unless specifically noted otherwise in the details section: - HPE Athonet Core 11.1 and below - HPE Athonet Core 11.2 thru 11.6 under certain configuration settings Unaffected Products =================== Any other HPE Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Denial of Service Vulnerability in Athonet vEPC MME v11.4.0 Due to Invalid Memory Access in E-RAB Release Indication Handling (CVE-2024-24452) --------------------------------------------------------------------- An invalid memory access when handling the ProtocolIE_ID field of E-RAB Release Indication messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. Internal Reference: PSA-432 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., Butler, K. (2024). RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces. https://nathanielbennett.com/publications/ransacked.pdf Workaround: Please refer to the Workaround section below for detailed instructions. Denial of Service Vulnerability in Athonet vEPC MME v11.4.0 Due to Invalid Memory Access in E-RAB NotToBeModifiedBearerModInd Handling (CVE-2024-24453) --------------------------------------------------------------------- An invalid memory access when handling the ProtocolIE_ID field of E-RAB NotToBeModifiedBearerModInd information element in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. Internal Reference: PSA-432 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., Butler, K. (2024). RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces. https://nathanielbennett.com/publications/ransacked.pdf Workaround: Please refer to the Workaround section below for detailed instructions. Denial of Service Vulnerability in Athonet vEPC MME v11.4.0 Due to Invalid Memory Access in E-RAB Modify Request Handling (CVE-2024-24454) --------------------------------------------------------------------- An invalid memory access when handling the ProtocolIE_ID field of E-RAB Modify Request messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. Internal Reference: PSA-432 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., Butler, K. (2024). RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces. https://nathanielbennett.com/publications/ransacked.pdf Workaround: Please refer to the Workaround section below for detailed instructions. Denial of Service Vulnerability in Athonet vEPC MME v11.4.0 Due to Invalid Memory Access in UE Context Release Handling (CVE-2024-24455) --------------------------------------------------------------------- An invalid memory access when handling a UE Context Release message containing an invalid UE identifier in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. Internal Reference: PSA-432 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., Butler, K. (2024). RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces. https://nathanielbennett.com/publications/ransacked.pdf Workaround: Please refer to the Workaround section below for detailed instructions. Buffer Overflow Vulnerability in Athonet MME Triggered by Malformed E-RAB Release Command NAS PDU (CVE-2024-24456) ------------------------------------------------------------------------ An E-RAB Release Command packet containing a malformed NAS PDU will cause the Athonet MME to immediately crash, potentially due to a buffer overflow. Internal Reference: PSA-432 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., Butler, K. (2024). RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces. https://nathanielbennett.com/publications/ransacked.pdf Workaround: Please refer to the Workaround section below for detailed instructions. Denial of Service Vulnerability in Athonet vEPC MME v11.4.0 Due to Invalid Memory Access in E-RAB Setup List Context SURes Handling (CVE-2024-24457) --------------------------------------------------------------------- An invalid memory access when handling the ProtocolIE_ID field of E-RAB Setup List Context SURes messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. Internal Reference: PSA-432 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., Butler, K. (2024). RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces. https://nathanielbennett.com/publications/ransacked.pdf Workaround: Please refer to the Workaround section below for detailed instructions. Denial of Service Vulnerability in Athonet vEPC MME v11.4.0 Due to Invalid Memory Access in ENB Configuration Transfer Handling (CVE-2024-24458) --------------------------------------------------------------------- An invalid memory access when handling the ENB Configuration Transfer messages containing invalid PLMN Identities in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. Internal Reference: PSA-432 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., Butler, K. (2024). RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces. https://nathanielbennett.com/publications/ransacked.pdf Workaround: Please refer to the Workaround section below for detailed instructions. Denial of Service Vulnerability in Athonet vEPC MME v11.4.0 Due to Invalid Memory Access in S1Setup Request Handling (CVE-2024-24459) ------------------------------------------------------------------------ An invalid memory access when handling the ProtocolIE_ID field of S1Setup Request messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sending a crafted payload. Internal Reference: PSA-432 Severity: Medium CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., Butler, K. (2024). RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces. https://nathanielbennett.com/publications/ransacked.pdf Workaround: Please refer to the Workaround section below for detailed instructions. Resolution ========== To resolve the vulnerabilities described above, it is recommended to upgrade Athonet Core product to: - HPE Aruba Networking Private 5G Core HPE Aruba Networking does not evaluate or patch software branches or products that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking End of Life policy please visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Affected Athonet Core versions: 11.1 and below 1. Upgrade software to Athonet Core 11.6 (Required) 2. In the GUI, under the "Monitoring -> Utilities -> Processes" menu, disable the "MME (OLD)" process and enable the "MME" process. 3. Migrate the configuration from the "MME" configuration page to the "eMME" (Enhanced MME) configuration page.* Affected Core versions: 11.2 and later, but earlier than 11.6. 1. Upgrade software to Athonet Core 11.6 (Recommended) 2. In the GUI, go to the "Monitoring -> Utilities -> Processes" menu. If the "MME (OLD)" process is disabled and the MME process is enabled, then the system is correctly configured, and no further action is required. 3. Otherwise, disable the "MME (OLD)" process and enable the "MME" process. 4. Migrate the configuration from the MME (old configuration page) to the eMME.* *You may contact HPE Support for assistance with the migration of the configuration if needed. *Until you upgrade* For a generic workaround, regardless of the installed software, to minimize the likelihood of an attacker exploiting this vulnerability and to mitigate the risks in the RAN, HPE Aruba Networking recommends customers to deploy the network following the 3GPP recommendations, whereby the RAN to Core connection should be protected with IPSec in addition to stricter control over RAN entities. Exploitation and Public Discussion ================================== These vulnerabilities are being discussed in public. HPE Aruba Networking is not aware of any exploitation tools or techniques that specifically target HPE Aruba Networking products. Additional information about this vulnerability is available at: https://cellularsecurity.org/ransacked. More in-depth technical detail and discussion is available at: https://nathanielbennett.com/publications/ransacked.pdf Revision History ================ Revision 1 / 2025-Jan-31 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmec3bUXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE66kpwwAmRJwkHOXyd6ONEyA1LXaMt6i qXuXgjQfQ77qnD8kfX9CSccffW1NAr3MBK3WokRxGp0YTHI1j4cPkRwx1ZtyNtK2 VCl8p333dTVyIJdl2Swo9IINvJn2gZ3ZVw8of+bg6Sn5eSTu9fjr6GtjRsfZAiuO Tf1sfq8AEdNohs8r6nLKAbBWI3u5w3zPmM67Mr8T365mBbmaYqArS3VyJ6uh3199 lgR4rUecRz1lr8HRz64Q1oecyQ/0jjKNfJuC5U53zk4QFHdyFRgK3Fo6h5CpDzwM nYNU0JUU6ZPQmZZTmgJXwFd4ll+4ZssGU8eY0W3G4SuK81GJK25ws+UrLF9nr+MH 5zUnta0y078ZPvaVMN2L8ss/oQ2wjj/InkKtY/Qg2voRVLIghdTJ0VVwmgi9vPZM KZf093cS8pzg013QB0z7+wQbwsM9ycX0niJ5Bpa7v/nbnKaxOg3Hcxn5/1NSwkgw 74u/Hjk+H23/FzIcz/tbmblZ+e9lnLiOo+iYjjTo =dUN3 -----END PGP SIGNATURE-----