FlexRIC Reachable Assertion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in FlexRIC version 2.0.0. The issue arises from hardcoded assertions that validate Information Element (IE) counts in decoded E2AP messages. A remote unauthenticated attacker can exploit this vulnerability by sending a valid E2AP Protocol Data Unit (PDU) with an unexpected number of IEs, such as an E2setupRequest containing extra optional fields. This exploitation causes the near-RT RIC or iApp process to crash by terminating the process with a SIGABRT signal. The vulnerability exists because the decoder asserts exact IE counts instead of validating them against protocol-specified ranges, allowing variations in E2AP messages to be manipulated into causing a process-level crash.

Impact

Exploitation of this vulnerability leads to a process crash, causing a denial-of-service condition on the affected FlexRIC component.

Reproduction

To reproduce this vulnerability, send a valid E2AP PDU with an unexpected IE count to a FlexRIC endpoint on SCTP port 36421 or 36422. The PDU should include an E2setupRequest with additional optional fields. The FlexRIC E2 agent emulator can be used to simulate this scenario.

Remediation

No upstream fix is currently available. Operators are advised to limit SCTP access to trusted peers and to modify the E2AP message decoder to validate IE counts against protocol-allowed ranges, returning a protocol error for unsupported message variants instead of using assertions.