FlexRIC Reachable Assertion Vulnerability in E2AP SCTP Message Handling

A reachable assertion vulnerability has been identified in FlexRIC version 2.0.0. The issue arises in the function 'e2ap_recv_sctp_msg()' within the file 'src/lib/ep/e2ap_ep.c'. This function allocates a fixed receive buffer of 32KB and asserts that the return value from 'sctp_recvmsg()' is less than the buffer length. A remote, unauthenticated attacker can exploit this vulnerability by sending an SCTP message with a payload of 32,768 bytes or more, causing the near-RT RIC, iApp, E2 Agent, or xApp process to crash by triggering a SIGABRT signal. The payload does not need to be a valid E2AP PDU. All four types of SCTP endpoints (ports 36421 and 36422) are affected. In release builds, the absence of the assertion due to optimization allows for a signed-to-unsigned integer overflow, potentially leading to out-of-bounds reads.

Impact

Exploitation of this vulnerability causes the near-RT RIC, iApp, E2 Agent, or xApp process to terminate unexpectedly, with a SIGABRT signal. In release builds, where assertions are removed, this can result in a signed-to-unsigned integer overflow and out-of-bounds read.

Reproduction

To reproduce this vulnerability, send an SCTP message with a payload of at least 32,768 bytes to a FlexRIC endpoint on port 36421 or 36422. The 'e2ap_recv_sctp_msg()' function will read the oversized payload into the fixed 32KB buffer, reach the assertion before E2AP decoding, and cause the process to crash.