Ella Core panics on invalid PDU Session IDs in NGAP messages

Root

Cause

Ella Core, a 5G core for private networks, prior to version 1.6.0, fails to validate PDU Session ID values when processing NGAP (Next Generation Application Protocol) messages. The specification reserves PDU Session IDs in the range 1-15 for assignment procedures, but the core does not check for values outside this range [1][3]. When an invalid ID is received, the software encounters an unexpected condition and panics, leading to a complete process crash.

Attack

Surface

An attacker can send a single crafted NGAP message containing an invalid PDU Session ID to any reachable Ella Core instance. No authentication is required, and the attack can be launched remotely, as the NGAP interface is typically exposed to the radio access network (RAN) or potentially to adjacent networks depending on deployment [1]. The attack complexity is low because no special privileges or user interaction are needed.

Impact

A successful crash causes immediate denial of service for all subscribers currently connected through that core instance. Since Ella Core is designed as a single-binary, lightweight core—often deployed for critical private network use cases—the service disruption halts all 5G connectivity for the entire deployment [2]. The attempt can be repeated indefinitely to maintain the denial of service.

Mitigation

The vulnerability is patched in Ella Core version 1.6.0, which adds proper validation of PDU Session IDs during NGAP message processing [1]. Users must upgrade to this version or later. No workarounds are mentioned; however, network segmentation can limit exposure of the NGAP interface to trusted RAN nodes only.