Headline
CVE-2023-41627: [RIC-1001] RMR service doesn't verify the route tables it receives
O-RAN Software Community ric-plt-lib-rmr v4.9.0 does not validate the source of the routing tables it receives, potentially allowing attackers to send forged routing tables to the device.
Dear O-RAN Software Community
I’d like to report an issue with the RMR service not verifying the messages it receives.
We know that components using the rmr library(RMR service) rely on the routing manager to regularly send a routing table, so they can communicate with other components inside the RIC system.
However, the RMR service does not verify the source of the received routing table information, and the transmission of these routing tables is unencrypted, which means we can send forged routing tables to deceive the target service.
Impact:
This lack of validation allows an attacker to exploit this weakness by sending forged routing table information to any RMR service.
For example, attackers could use xApp to send forged routing tables to other RMR services and mess up communication between different components.
PoC:
In the attachment, I have provided an example of a route table packet that can be used to interrupt communication between various components.
You can simply change the component’s message routing settings by sending it through xApp to the target component, such as e2term.