Ella Core is a 5G core designed for private networks. Prior to version 1.10.0, the software fails to verify UE Security Capabilities received in NGAP PathSwitchRequest messages against locally stored values. A malicious gNB (gNodeB) can exploit this weakness to overwrite Ella Core's stored UE security capabilities for any UE with arbitrary values by sending a single crafted PathSwitchRequest message. This [truncated]
A race condition in Ella Core prior to 1.10.0 allows concurrent execution of NAS Security Mode Command and N2 handover procedures, violating 3GPP TS 33.501 ยง6.9.5.1. This produces a KgNB key mismatch between UE and target gNB, causing handover failure. Exploitation requires a stalled gNB combined with a re-registration race condition. The vulnerability is rated LOW severity (CVSS 3.7) due to adjacent netw [truncated]
A vulnerability in Ella Core, a 5G core network implementation for private networks, allows a malicious radio with a valid NG Setup to forge PDUSessionResourceSetupResponse messages carrying arbitrary AMF-UE-NGAP-IDs. The affected versions fail to verify that such messages arrive on the SCTP association bound to the UE's logical NG-connection, resulting in unauthorized GTP tunnel creation toward the attac [truncated]
