FlexRIC Reachable Assertion Vulnerability in iApp Message Dispatcher Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in FlexRIC version 2.0.0. The issue arises from a reachable assertion in the iApp message dispatcher, which validates incoming E2AP messages against a fixed whitelist of nine entries. A remote, unauthenticated attacker can exploit this vulnerability by sending any decodable E2AP Protocol Data Unit (PDU) with a message type not included in the whitelist. This exploitation causes the iApp process to crash by triggering a SIGABRT signal. In common deployments, the iApp and near-RT RIC share a single process, so this crash terminates the entire RIC service, disconnecting all E2 Nodes and xApps.

Impact

Exploitation of this vulnerability causes the iApp process to crash, terminating the RIC service and disconnecting all E2 Nodes and xApps.

Reproduction

To reproduce this vulnerability, send a decodable E2AP PDU with a message type not included in the iApp whitelist to SCTP port 36422. The PDU does not need to complete an E2 setup flow. After the dispatcher decodes the message, it will validate the type against the whitelist using an assertion, which will fail and cause the process to abort.

Remediation

No upstream fix was available at the time of publication. Operators are advised to restrict access to port 36422 to trusted xApps. The iApp message dispatcher should be modified to reject unsupported message types with an error response or by silently dropping the message, rather than asserting on externally supplied types.