Keypoints
- Open RAN (O-RAN) exposes the near-RT RIC to third-party xApps, making xApps a primary attack vector.
- RMR (RIC Message Router) routing tables contain destination, priority, queues, message type, and message identifier used by RIC components to route messages.
- CVE-2023-40998: crafted packet with incorrect first four bytes can produce a negative packet size during decoding and crash E2Term (memcpy overflow/invalid size).
- CVE-2023-40997: improperly formatted packets that cannot be decoded lead to incorrect memory address calculation and an E2Term crash.
- CVE-2023-41627: E2Term does not validate the sender of route table information, enabling forged route-table messages to disrupt RIC routing.
- RMR hijacking can occur if two xApps register the same message type/subscription ID, causing RMR entries to be overwritten and messages redirected.
- Mitigations: secure xApp onboarding, sender/authentication checks for route tables, robust packet validation, uniqueness checks for subscriptions, and DPI capable of understanding O-RAN protocols.
MITRE Techniques
- [T1195] Supply Chain Compromise β Introducing a malicious xApp via the supply chain or hijacked onboarding to gain foothold in RIC. [βAn xApp could be compromised through the supply chain or by hijacking the onboarding process.β]
- [T1190] Exploit Public-Facing Application β Sending crafted/malformed packets to RIC components to trigger crashes in E2Term (CVE-2023-40998 / CVE-2023-40997). [βThe CVE-2023-40998 vulnerability involves incorrect packet information that can result in a negative packet size during decodingβ¦β]
- [T1499] Endpoint Denial of Service β Causing E2Term crashes and RIC component failures through malformed packets, resulting in service degradation. [ββ¦causing an incorrect memory address calculation and resulting in an E2Term crash.β]
- [T1498] Network Denial of Service / Network Manipulation β Spoofing RMR routing information or flooding route updates to deceive E2Term and disrupt intra-RIC communications (CVE-2023-41627). [βE2Term does not validate the sender of the route table information it receives.β]
Indicators of Compromise
- [Vulnerability ID] reported vulnerable items β CVE-2023-40998, CVE-2023-40997, CVE-2023-41627
- [Domain] referenced resources and vendor/spec pages β o-ran.org, trendmicro.com (research/report)
- [URL] research and source links β https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ran-security.html, https://nvd.nist.gov/vuln/detail/CVE-2023-40998
- [File name / asset] example artifacts (images illustrating flows) β Oran%20Security_1.jpg, Oran%20Security_4.jpg (and other image assets)
The near-RT RIC relies on the RIC Message Router (RMR) as the internal bus for xApps, E2Term, and other RIC components. RMR tables hold routing metadata (destination, priority, queue, message type, message identifier) and are accessed via the RMR library APIs included in xApps and E2Term; inter-xApp communication is routed through RMR entries created when xApps subscribe using function IDs and subscription IDs.
Multiple protocol-parsing and routing weaknesses were found in the RMR/E2Term stack. Two decoding vulnerabilities allow a crafted packet to produce a negative/incorrect size (packet length read from the first four bytes) or an invalid memory address calculation during decoding, causing memcpy or pointer errors and resulting in E2Term crashes (CVE-2023-40998, CVE-2023-40997). Separately, E2Term accepts route-table updates without authenticating the sender; an attacker can send forged routing tables (or flood updates at higher frequency) to overwrite legitimate entries (CVE-2023-41627). Additionally, if two xApps register identical message/subscription IDs, the later registration overwrites the earlier RMR entry, effectively hijacking message delivery between E2 nodes and xApps.
To mitigate these issues operators should enforce secure xApp onboarding (supply-chain vetting and code signing), enforce authentication and integrity checks on routing-table and control-plane messages, validate packet lengths and decoding inputs robustly (reject or safely handle negative/unsane sizes), ensure uniqueness checks for subscription/function IDs, and deploy DPI or protocol-aware inspection between RIC components to detect malformed packets and forged route updates. RIC designs should also ensure conservative failover so core traffic handling remains resilient if RIC/xApp components fail.
Read more: https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ran-security.html