Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying …

Ella Core, a 5G core network solution for private networks, contains a vulnerability prior to version 1.10.0. The vulnerability allows a radio with valid NG Setup to send forged PDUSessionResourceSetupResponse messages carrying any UE's AMF-UE-NGAP-ID. The system fails to verify that messages arrive on the correct SCTP association bound to the UE's logical NG-connection, leading to creation of GTP tunnels towards unauthorized radios. This represents a significant authentication bypass in 5G network infrastructure that could enable traffic redirection attacks. The vulnerability has been patched in version 1.10.0.