A security flaw has been reported in the Nokia GGSN (Gateway GPRS support node) that could have lead to a Denial of Service (DoS) attack by hackers.

The GGSN (Gateway GPRS support node) is the platform that exists between Gn and Gi networks within a GPRS network. The security firm, @stake notified Nokia of the vulnerability, and Nokia has issued a software update to close the loophole. 

@stake says that there exists a vulnerability in the TCP stack that allows an attacker to cause the GGSN to kernel panic and shutdown. This potentially allows an attacker to crash all data connectivity within a GPRS based network.

This vulnerability is exploited by sending a malformed IP packet with a TCP option of 0xFF over a cellphone to the affected network. 

In a statement sent to all of Nokia GGSN customers, the company said "Under exceptional circumstances Nokia GGSN release 1 is  potentially vulnerable to a "Denial Of Service" style of  attack from a malicious user equipped with a computer and a  mobile phone. When the vulnerability is exploited the GGSN  restarts.

There is no damage to the configuration, but some  charging data may be lost. Changing a normal Access Point to  tunneled (GRE or IP in IP) prevents the attacks from mobile  user side.

The same applies for the Gi interface though routers and  firewalls would normally drop this kind of packets. The  problem has been detected and reported by @stake and has been  reproduced by Nokia in collaboration with @stake. Nokia and  @stake are jointly working to eliminate the problem.

This vulnerability is corrected in IPSO version 3.4 and all  subsequent versions. Thus, GGSN release 2 is not vulnerable,  GGSN release 1 is. Nokia advices all the customers still  running GGSN release level 1 to upgrade on GGSN release level 2.

As an interim measure operators can perform the following  preventative configuration changes to their networks. Ensure  that all IP packets with non standard IP options are dropped  by boarder firewalls on the Gi interface.

Within the Gn  network ensure that the GTP aware firewall (if present) also  drops all encapsulated IP packets with non standard IP  options. This may introduce latency however it will mitigate  against the attack until the patch has been fully deployed  and tested.

Due to the severity of this vulnerability @stake has  confirmed that they will not be releasing this information  publicly on their research page (http://www.atstake.com/research/)  until Nokia has confirmed that all affected operators have fully  patched and tested all affected elements.

Neither @stake nor Nokia are aware of this attack being used  in the wild as it was discovered by @stake within a lab  environment and subsequently tested on a number of operators  for whom they have worked for."

The patch has therefore been applied to all the affected networks, and is therefore no longer a vulnerability.