OpenAirInterface5G PRB Utilization Metric Calculation Vulnerability in E2SM-KPM RAN Function

A divide-by-zero vulnerability has been identified in OpenAirInterface5G version 2.4.0, specifically within the 'nr-softmodem' component that integrates with the FlexRIC E2 Agent. The issue arises in the E2SM-KPM RAN Function's calculation of Physical Resource Block (PRB) utilization metrics. The vulnerability occurs in the 'fill_RRU_PrbTotDl()' and 'fill_RRU_PrbTotUl()' functions, where PRB usage percentages are computed by dividing the total PRB aggregate samples from two consecutive intervals. This calculation fails to verify if the divisor is zero. When a malicious xApp transmits a large volume of 'E42_RIC_SUBSCRIPTION_REQUEST' messages through the FlexRIC iApp, the E2 Agent responds by generating KPM Indication reports at a high frequency. If two successive sampling intervals have the same PRB aggregate values, the division by zero triggers a SIGFPE signal, causing the 'nr-softmodem' process to crash. This failure disrupts 5G cell service for all connected User Equipments (UEs). Notably, no authentication is required to exploit this vulnerability.

Impact

Exploitation of this vulnerability leads to a SIGFPE error, causing the 'nr-softmodem' process to crash and interrupting 5G cell service for all connected UEs.

Reproduction

To reproduce this vulnerability, run OpenAirInterface5G 'nr-softmodem' version 2.4.0 with the FlexRIC E2 Agent integration. Then, use a malicious or compromised xApp to send a high volume of 'E42_RIC_SUBSCRIPTION_REQUEST' messages through the FlexRIC iApp on SCTP port 36422. Monitor the PRB aggregate values; if two consecutive samples are identical, the 'nr-softmodem' process will crash with a SIGFPE error, disrupting 5G cell service for connected UEs.

Remediation

No upstream fix was available at the time of publication. Operators are advised to limit access to the RIC/iApp control path, rate-limit untrusted KPM subscription activity, and modify the PRB calculation to check for zero denominators, returning a safe value or omitting the metric for that interval.