Zhongnan Luo

FlexRIC v2.0.0 crashes when an SCTP association is closed before an E2 SETUP REQUEST is sent. The near-RT RIC assumes a mapping between SCTP association and E2 node always exists in the cleanup path and enforces this via assert(). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by simply completing an SCTP handshake and immediately disconnecting, without sending any E2AP message.

FlexRIC v2.0.0 crashes when receiving a RIC SUBSCRIPTION RESPONSE with an unknown ric id that has no corresponding pending event. The near-RT RIC uses assert() to enforce the existence of a pending event during response processing. A remote unauthenticated attacker can send a forged RIC SUBSCRIPTION RESPONSE to the near-RT RIC (port 36421) to cause SIGABRT in Debug builds or NULL pointer dereference (SIGSEGV) in Release builds.

FlexRIC v2.0.0 contains a reachable assertion in the iApp message dispatcher. The dispatcher validates incoming E2AP messages against a 9-entry whitelist using assert(). A remote unauthenticated attacker can send any decodable E2AP PDU with a message type not in the whitelist to crash the iApp process (port 36422) via SIGABRT. Since iApp and the near-RT RIC share one process, this terminates the entire RIC service and disconnects all E2 Nodes and xApps.

FlexRIC v2.0.0 crashes when receiving a duplicate E2 SETUP REQUEST from the same or spoofed E2 Node. The iApp registry enforces node ID uniqueness via assert() rather than graceful rejection. A remote unauthenticated attacker can crash the iApp process (port 36421) by sending two E2 SETUP REQUESTs with the same E2 node configuration, triggering SIGABRT.

FlexRIC v2.0.0 crashes when the iApp receives an E42 RIC SUBSCRIPTION REQUEST with an empty ricEventTriggerDefinition field. The E42 layer decoder accepts this as valid, but the E2AP encoder asserts a non-empty constraint when forwarding the request. A remote unauthenticated attacker can crash the iApp process (port 36422) via SIGABRT by exploiting this cross-layer validation mismatch.

FlexRIC v2.0.0 contains reachable assert(0) calls in stub message handlers for whitelisted but unimplemented E2AP message types in the near-RT RIC. A remote unauthenticated attacker can send a decodable E2AP PDU of such a type (e.g., E2nodeConfigurationUpdate) to crash the near-RT RIC process (port 36421) via SIGABRT. The message passes whitelist validation but triggers an unconditional assertion in the handler.

**Name of the Vulnerable Software and Affected Versions** FlexRIC version 2.0.0 **Description** A remote unauthenticated attacker can cause the iApp process on port 36422 to crash by sending an `E42 RIC SUBSCRIPTION REQUEST` that references a non-existent E2 Node. This occurs because the lookup function returns NULL, leading to a SIGABRT in Debug builds due to an `assert()` or a SIGSEGV in Release builds due to a null pointer dereference. The attack is triggered by providing an arbitrary `global e2 node id`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

FlexRIC v2.0.0 contains a reachable assertion in e2ap create pdu() triggered when ASN.1 PER decoding fails. A remote unauthenticated attacker can send any non-PER byte sequence (e.g., a single 0x00 byte) over SCTP to the near-RT RIC (port 36421) or iApp (port 36422) to crash the process via SIGABRT. The assertion is reached before any protocol-level validation occurs. All three E2AP protocol versions (v1.01, v2.03, v3.01) are affected.

FlexRIC v2.0.0 crashes when the near-RT RIC receives a RIC INDICATION message with a ran func id that does not exist in its registry. The lookup returns NULL, triggering assert() in Debug builds (SIGABRT) or NULL pointer dereference in Release builds (SIGSEGV). A remote unauthenticated attacker can crash the near-RT RIC (port 36421) by sending a crafted RIC INDICATION with an arbitrary ran func id value.

FlexRIC v2.0.0 uses a uint16 t counter for xapp id assignment but stores the value in uint32 t message fields. After 65,530+ E42 SETUP REQUESTs, the 16-bit counter wraps around and produces duplicate xapp ids. The iApp (port 36422) crashes when attempting to register a duplicate ID in its internal data structure. A remote attacker can trigger this by repeatedly connecting and requesting new xApp registrations.

**Name of the Vulnerable Software and Affected Versions** OpenAirInterface5G version 2.4.0 **Description** An issue exists in the E2SM-KPM RAN Function's PRB utilization metric calculation within the `nr-softmodem` component. The functions `fill RRU PrbTotDl()` and `fill RRU PrbTotUl()` compute PRB usage percentages by dividing by the difference of two consecutive `total prb aggregate` samples without verifying if the divisor is zero. A malicious xApp can trigger this by sending a high volume of `E42 RIC SUBSCRIPTION REQUESTs` via the FlexRIC iApp on port 36422/SCTP, causing the E2 Agent to generate KPM Indication reports at a high frequency. If two consecutive sampling intervals produce identical PRB aggregate values, a division by zero occurs, triggering a SIGFPE (floating-point exception) and crashing the 5G base station process. This leads to a complete interruption of 5G cell service for all connected User Equipment (UE). No authentication is required to exploit this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

FlexRIC v2.0.0 contains an authorization bypass in the iApp's xApp isolation mechanism. The equality function eq xapp ric gen id() in src/ric/iApp/xapp ric id.c compares m0->xapp id against itself (m0->xapp id) instead of the other argument (m1->xapp id), effectively ignoring the xApp identity dimension. A malicious xApp connected to the iApp (port 36422) can delete any other xApp's subscriptions by sending an E42 RIC SUBSCRIPTION DELETE REQUEST with a matching ric gen id. This breaks multi-tenant isolation in any deployment with multiple xApps sharing the same RIC.

FlexRIC v2.0.0 trusts the xapp id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid xapp id() only checks that the value is within the assigned range. A remote unauthenticated attacker can impersonate any xApp by specifying their xapp id in requests sent to the iApp (port 36422), causing responses to be misrouted to the victim xApp. This can crash the victim xApp, the RIC, or the iApp itself through state inconsistencies in the red-black tree data structure.