The issue present in Magma <= 1.8. software is identified as a type confusion vulnerability in the nas_message_decode function. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) through a crafted NAS packet. Fortunately, this bug has been fixed in the v1.9 release of Magma, under commit 08472ba98b8321f802e95f5622fa90fec2dea486.

Exploit Details

The nas_message_decode function in Magma's core element is responsible for processing Network Access Server (NAS) packets. An attacker can exploit this type confusion vulnerability when the function blindly trusts a certain packet type's field. By sending a malicious NAS packet with crafted content, the attacker may cause the software to crash, execute arbitrary code, or create a variety of other issues.

A simplified code snippet showcasing the type confusion in nas_message_decode would be

int nas_message_decode(...) {
  ...
  uint8_t protocol_discriminator = ...
  uint8_t decoded_type = ...
  
  ...
  switch (protocol_discriminator) {
    case ATTACH_REQUEST_VALUE:
    ...
      switch (decoded_type) {
        ...
        case MESSAGE_TYPE_TAG:
          type_value = *buffer;
          if (type_value != type_value_current) {
            mismatch_error_in_type_value(...);
          }
          buffer++;
          break;
        ...
      }
    ...
    break;
  }
}

The above code snippet shows how the function reads the protocol_discriminator field from the NAS packet and then reads the decoded_type field. The break in type_value and type_value_current are the main cause of the type confusion vulnerability.

1. Magma GitHub Repository - A link to the Magma repository on GitHub showcasing the source code and issue: https://github.com/magma/magma
2. Magma Commit Fixing the Issue - A direct link to the commit 08472ba98b8321f802e95f5622fa90fec2dea486 that fixes this vulnerability: https://github.com/magma/magma/commit/08472ba98b8321f802e95f5622fa90fec2dea486

Mitigation

To defend against this vulnerability, it is highly recommended that users upgrade their Magma software to v1.9 or later, which contains the fix for this type confusion issue. By updating to the latest version, users will benefit from the increased security and stability provided by the Magma developers.

In Conclusion

CVE-2024-24421 is a type confusion vulnerability present in Magma <= 1.8. software that can allow attackers to execute arbitrary code or cause a Denial of Service through malicious NAS packets. To protect against this vulnerability, it is crucial for users to update their Magma installations to v1.9 or later. By implementing this simple step, users will benefit from the improved security and functionality offered by the latest version of Magma.

Timeline

Published on: 01/21/2025 23:15:12 UTC
Last modified on: 03/20/2025 14:15:19 UTC