<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ellacore - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/ellacore/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/ellacore/feed.xml" rel="self" type="application/rss+xml"/><item><title>Ella Core NGAP Message Handling Vulnerability Leads to Denial of Service</title><link>https://feed.craftedsignal.io/briefs/2024-01-ella-core-dos/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-ella-core-dos/</guid><description>Ella Core versions prior to 1.6.0 are vulnerable to a denial-of-service attack where a crafted NGAP LocationReport message with a missing `UEPresenceInAreaOfInterestList` can crash the process, disrupting service for all connected subscribers.</description><content:encoded><![CDATA[<p>Ella Core, a 5G core designed for private networks, is susceptible to a denial-of-service (DoS) vulnerability in versions prior to 1.6.0. This flaw, identified as CVE-2026-33282, stems from improper handling of malformed Next Generation Application Protocol (NGAP) LocationReport messages. Specifically, if the <code>ue-presence-in-area-of-interest</code> event type is present without the optional <code>UEPresenceInAreaOfInterestList</code> information element (IE), the Ella Core process panics. An attacker, without requiring authentication, can exploit this by sending specially crafted NGAP messages to the vulnerable Ella Core instance. Successful exploitation results in a crash of the Ella Core process, leading to service disruption for all connected subscribers. The vendor addressed this vulnerability in version 1.6.0 by implementing IE presence verification in NGAP message handling.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a vulnerable Ella Core instance running a version prior to 1.6.0.</li>
<li>The attacker crafts a malicious NGAP LocationReport message.</li>
<li>The crafted message includes the <code>ue-presence-in-area-of-interest</code> event type.</li>
<li>Crucially, the <code>UEPresenceInAreaOfInterestList</code> information element (IE) is omitted from the message.</li>
<li>The attacker sends the crafted NGAP message to the vulnerable Ella Core instance.</li>
<li>Upon receiving the malformed message, the Ella Core process attempts to parse the missing <code>UEPresenceInAreaOfInterestList</code> IE.</li>
<li>Due to the missing IE, the parsing operation fails, causing a panic within the Ella Core process.</li>
<li>The Ella Core process crashes, leading to a denial of service condition for all connected subscribers.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33282 leads to a denial-of-service condition affecting all subscribers connected to the vulnerable Ella Core instance. This can disrupt critical communication services in private 5G networks, potentially impacting industrial control systems, healthcare facilities, or other environments relying on uninterrupted connectivity. The severity is high due to the ease of exploitation (no authentication required) and the potential for widespread service disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Ella Core instances to version 1.6.0 or later to patch CVE-2026-33282.</li>
<li>Deploy the Sigma rule <code>Detect Malformed NGAP LocationReport Messages</code> to identify potentially malicious NGAP messages being sent to Ella Core instances.</li>
<li>Implement network-level filtering to block or rate-limit NGAP traffic from suspicious sources.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>denial-of-service</category><category>5G</category><category>ellacore</category></item></channel></rss>