FlexRIC Reachable Assertion Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in FlexRIC version 2.0.0. The issue arises when the iApp receives an 'E42_RIC_SUBSCRIPTION_REQUEST' with an empty 'ricEventTriggerDefinition' field. The E42 layer decoder incorrectly accepts this as valid, creating a cross-layer validation mismatch. When the request is forwarded to the E2AP encoder, it asserts that the event trigger must be non-empty, causing the iApp process to crash. This vulnerability allows a remote, unauthenticated attacker to exploit the validation gap and terminate the iApp process via a SIGABRT signal, disrupting service.

Impact

Exploitation of this vulnerability causes the iApp process to terminate unexpectedly, leading to a denial-of-service condition.

Reproduction

To reproduce this vulnerability, connect to the iApp on SCTP port 36422 and send an 'E42_RIC_SUBSCRIPTION_REQUEST' with an empty 'ricEventTriggerDefinition' field. The E42 decoder will accept the request, but when it is forwarded through the E2AP encoder, the empty event trigger will be rejected, causing the process to crash.

Remediation

No upstream fix is currently available. Operators are advised to restrict iApp access to trusted xApps. The E42 decoder should be updated to validate event trigger definitions against the same constraints enforced by the E2AP encoder, rejecting empty definitions before forwarding.