Qiang Fu

FlexRIC v2.0.0 trusts the xapp id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid xapp id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.

FlexRIC v2.0.0 contains a reachable assertion in e2ap create pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.

FlexRIC v2.0.0 uses a uint16 t counter for xapp id assignment but stores the value in uint32 t message fields. After 65,530+ E42 SETUP REQUESTs, the 16-bit counter wraps around and produces duplicate xapp ids. The iApp (port 36422) crashes when attempting to register a duplicate ID in its internal data structure. A remote attacker can trigger this by repeatedly connecting and requesting new xApp registrations.

FlexRIC v2.0.0 contains a reachable assertion in the iApp message dispatcher. The dispatcher validates incoming E2AP messages against a 9-entry whitelist using assert(). A remote unauthenticated attacker can send any decodable E2AP PDU with a message type not in the whitelist to crash the iApp process (port 36422) via SIGABRT. Since iApp and the near-RT RIC share one process, this terminates the entire RIC service and disconnects all E2 Nodes and xApps.

FlexRIC v2.0.0 crashes when receiving a duplicate E2 SETUP REQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert() rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process (port 36421) by sending two E2 SETUP REQUESTs with the same E2 node configuration, triggering SIGABRT.

FlexRIC v2.0.0 crashes when the iApp receives an E42 RIC SUBSCRIPTION REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.

FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler.

**Name of the Vulnerable Software and Affected Versions** Open5GS versions up to 2.7.2 **Description** A vulnerability was found in the function `amf nsmf pdusession handle update sm context` of the file src/amf/nsmf-handler.c of the component AMF. The manipulation leads to denial of service. The attack can be launched remotely. This issue allows a single UE to crash the AMF, resulting in the complete loss of mobility and session management services and causing a network-wide outage. All registered UEs will lose connectivity, and new registrations will be blocked until the AMF is restarted, leading to a high availability impact. **Recommendations** To resolve the issue, apply a patch to fix this problem. As a temporary workaround, consider restricting access to the vulnerable function `amf nsmf pdusession handle update sm context` until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Open5GS versions up to 2.7.2 **Description** A denial of service issue has been found in the `gmm state authentication` function of the file `src/amf/gmm-sm.c` in the component AMF. This issue can be exploited remotely, leading to a network-wide outage, causing all registered UEs to lose connectivity, and blocking new registrations until the AMF is restarted. The exploit has been disclosed to the public and may be used. **Recommendations** To fix this issue, apply the patch named `e31e9965f00d9c744a7f728497cb4f3e97744ee8` to the affected Open5GS version. As a temporary workaround, consider restricting access to the `gmm state authentication` function until a patch is available.