CVE-2024-24421 - Exploiting Magma’s nas_message_decode Type Confusion (<= v1.8.) for Code Execution and DoS

CVE-2024-24421 is a type confusion vulnerability found in the nas_message_decode function of the Magma mobile network core, affecting versions up to 1.8.. The vulnerability allows a remote attacker to execute arbitrary code or trigger a denial of service (DoS) by sending a specially crafted NAS (Non-Access Stratum) packet.

If you operate Magma on your network (cellular core, openRAN testbeds, etc.), this bug could let an attacker crash critical services or even take control of your server. In this post, we break down what happened, why it matters, how it works, and how to fix it.

What Is Magma?

Magma is an open-source mobile core network project by the Linux Foundation, used to enable scalable 4G/5G networks. Many research, private, and enterprise operators use it to quickly stand up mobile network services.

Affected Version: Magma <= 1.8.

- Patched in: Magma 1.9. (commit 08472ba98b8321f802e95f5622fa90fec2dea486)

Deep Dive: Type Confusion

The bug is in the function that decodes incoming NAS packets (nas_message_decode). It incorrectly trusts a field in the NAS packet and tries to cast its data to a type that wasn’t validated for that context.

What is type confusion?

It means code treats one kind of data as if it were another. For instance, treating user data as a pointer instead of a simple number. This often leads to unpredictable program behavior, crashes, or letting an attacker hijack code flow.

Vulnerable code (simplified for clarity)

int nas_message_decode(nas_message_t* nas_msg, const uint8_t* buffer, uint32_t len) {
    // ...snip...
    switch (nas_msg->header.message_type) {
        case MESSAGE_TYPE_X:
            message_x_t* msg_x = (message_x_t*)nas_msg; // <-- Type confusion here!
            process_x(msg_x, buffer, len);    
            break;
        // other cases...
    }
    // ...snip...
}

Here, nas_message_t* nas_msg can point to various structures depending on message type. The code trusts the incoming message_type to pick the type, but a crafted NAS packet can set it to any type, tricking the function into casting to the wrong structure. If the attacker can control other fields, it’s possible to craft data that, when wrongly interpreted, leads to an out-of-bounds access, memory corruption, and ultimately arbitrary code execution.

Step 1: Craft the Malicious NAS Packet

An attacker can generate a NAS packet with a fake message_type and weaponized data to force the function to cast it to the wrong structure.

Example Python Snippet (for Research/Testing)

# Pseudocode ONLY - Do not use on production!
import socket

NAS_PACKET_LEN = 256
crafty_packet = bytearray(NAS_PACKET_LEN)
crafty_packet[] = xAB  # Fake header values
crafty_packet[1] = xCD  # Set message_type to trigger type confusion

# Fill out rest of packet as needed ...
# (using knowledge of struct layouts and offsets in Magma's nas_message_t and derived types)

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('magma.network.host', 38412)) # Adjust IP/port
sock.send(crafty_packet)
sock.close()

*This sends a malcrafted packet directly to the Magma core’s S1AP/TCP listener, potentially triggering the bug.*

If exploit is successful, the Magma core process may crash (DoS).

- With additional research (heap grooming, precise memory control)—the attacker could achieve arbitrary code execution.

Note:

This requires the attacker to send unauthorized NAS packets to the Magma core over the relevant network interface. In default setups, this is NOT always exposed to the open Internet, but on testbeds/dev installs, it may be reachable.

Check Commit:

Compare your code with the fix commit.

Upgrade to Magma 1.9. or later!

The patch adds stricter checking and makes sure wrong types can no longer be cast blindly.

- Don’t expose the S1AP/NAS ports to untrusted networks.

Additional References

- Magma Security Advisories
- Commit Fixing the Bug
- CVE Details Page (if published)
- Type confusion explanation (Wikipedia)

Summary

CVE-2024-24421 is a critical bug in Magma up to v1.8. that allows dangerous memory confusion just by sending a crafted NAS packet to the core. This can lead to a total crash (DoS) or, in the worst case, remote code execution.

If you operate public or shared mobile core environments, this is an urgent, high-priority fix.

If you want a deeper dive into the bug or to see live proof-of-concepts, follow Magma’s official GitHub or security advisories above.

Timeline

Published on: 01/21/2025 23:15:12 UTC
Last modified on: 03/20/2025 14:15:19 UTC