EURECOM FlexRIC Reachable Assertion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in EURECOM FlexRIC version 2.0.0. The issue arises in the near-RT RIC component when it receives a RIC_SUBSCRIPTION_RESPONSE containing an unknown ric_id without a corresponding pending event. The response handling process, which relies on an assertion to verify the existence of a pending event, fails and causes the application to crash. This vulnerability can be exploited by a remote, unauthenticated attacker who sends a forged RIC_SUBSCRIPTION_RESPONSE over SCTP to port 36421.

Impact

Exploitation of this vulnerability causes the near-RT RIC to crash. In debug builds, the application aborts with a SIGABRT signal. In release builds, where assertions are removed, the vulnerability leads to a null pointer dereference, causing a SIGSEGV signal and crashing the application.

Reproduction

To reproduce this vulnerability, start the near-RT RIC and send a RIC_SUBSCRIPTION_RESPONSE over SCTP port 36421 with a ric_id that does not correspond to any active pending event. The RIC will attempt to remove a non-existent pending entry, leading to a crash.

Remediation

No upstream fix is currently available. Operators are advised to restrict SCTP access to trusted E2 nodes. The response handler should be modified to verify the existence of a pending event before processing subscription responses, and to reject unknown, replayed, or out-of-order responses without causing a crash.