CVE-2023-41627 – CVE-2023-41627 is a vulnerability in O-RAN Soft... (How to Fix)

Q: What is the severity of CVE-2023-41627?

CVE-2023-41627 has a CVSS score of 7.5 (HIGH). CVE-2023-41627 is a vulnerability in O-RAN Software Community's ric-plt-lib-rmr v4.9.0 where the software fails to validate the source of routing tables it receives. This allows attackers to send forged routing tables to potentially disrupt or manipulate network traffic in Open RAN deployments. Organizations using affected O-RAN implementations are vulnerable.

📋 TL;DR

CVE-2023-41627 is a vulnerability in O-RAN Software Community's ric-plt-lib-rmr v4.9.0 where the software fails to validate the source of routing tables it receives. This allows attackers to send forged routing tables to potentially disrupt or manipulate network traffic in Open RAN deployments. Organizations using affected O-RAN implementations are vulnerable.

💻 Affected Systems

Products:

O-RAN Software Community ric-plt-lib-rmr

Versions: v4.9.0

Operating Systems: Linux-based systems running O-RAN software

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using the vulnerable RMR library version in O-RAN deployments.

📦 What is this software?

Ric Message Router by O Ran Sc

View all CVEs affecting Ric Message Router →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect or intercept all network traffic through malicious nodes, enabling data interception, service disruption, or man-in-the-middle attacks across the RAN infrastructure.

🟠

Likely Case

Network disruption through routing table manipulation causing service degradation or denial of service in affected O-RAN components.

🟢

If Mitigated

Limited impact with proper network segmentation and source validation controls in place.

🌐 Internet-Facing: MEDIUM - While O-RAN components are typically internal, some deployments may have exposed interfaces.

🏢 Internal Only: HIGH - Attackers with internal network access can exploit this to disrupt critical RAN operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the vulnerable component but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.9.1 or later

Vendor Advisory: https://jira.o-ran-sc.org/browse/RIC-1001

Restart Required: Yes

Instructions:

1. Update ric-plt-lib-rmr to v4.9.1 or later. 2. Restart affected services. 3. Verify routing table validation is enabled.

🔧 Temporary Workarounds

Network Segmentation

linux

Isolate O-RAN components to prevent unauthorized access to RMR interfaces.

iptables -A INPUT -p tcp --dport <rmr-port> -s <trusted-networks> -j ACCEPT
iptables -A INPUT -p tcp --dport <rmr-port> -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can communicate with RMR interfaces.
Monitor for unexpected routing table changes and implement alerting.

🔍 How to Verify

Check if Vulnerable:

Check ric-plt-lib-rmr version: dpkg -l | grep ric-plt-lib-rmr or rpm -qa | grep ric-plt-lib-rmr

Check Version:

dpkg -l | grep ric-plt-lib-rmr || rpm -qa | grep ric-plt-lib-rmr || find /usr -name '*rmr*' -type f -exec strings {} \; | grep -i version

Verify Fix Applied:

Confirm version is v4.9.1 or later and test routing table validation functionality.

📡 Detection & Monitoring

Log Indicators:

Unexpected routing table updates from unauthorized sources
RMR service errors related to routing validation

Network Indicators:

Unusual traffic patterns to/from RMR ports
Routing table updates from unexpected IP addresses

SIEM Query:

source="o-ran-logs" AND ("routing table" OR "RMR") AND ("update" OR "modify") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-41627

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Published: September 1, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON