CVE-2024-34036
📋 TL;DR
This vulnerability allows attackers to disrupt the initial connection between a gNB (gNodeB) and the Near Real-Time RAN Intelligent Controller (Near RT-RIC) by flooding the system with excessive subscription requests via an xApp. It affects O-RAN Near Realtime RIC I-Release deployments where xApps can send subscription requests. The attack can cause denial of service during critical connection establishment phases.
💻 Affected Systems
- O-RAN Near Realtime RIC (Near RT-RIC)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of gNB-Near RT-RIC connections, preventing new 5G radio units from joining the network and causing service outages for affected cells.
Likely Case
Temporary connection failures and increased latency during gNB registration, potentially causing intermittent service degradation.
If Mitigated
Minimal impact with proper rate limiting and request validation in place, possibly causing only minor delays during peak attack periods.
🎯 Exploit Status
Exploitation requires access to xApp functionality or ability to deploy/modify xApps. The attack pattern is straightforward resource exhaustion.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in O-RAN Near RT-RIC I-Release updates addressing RIC-1057
Vendor Advisory: https://jira.o-ran-sc.org/browse/RIC-1057
Restart Required: Yes
Instructions:
1. Update to the latest O-RAN Near RT-RIC I-Release version. 2. Apply patches addressing subscription request handling. 3. Restart Near RT-RIC services. 4. Verify xApp subscription interfaces are properly secured.
🔧 Temporary Workarounds
Rate Limit Subscription Requests
linuxImplement rate limiting on xApp subscription interfaces to prevent flooding attacks
# Configure rate limiting in Near RT-RIC configuration
# Example: Set max_subscription_requests_per_second=100 in ric-config.yaml
Restrict xApp Access
linuxLimit which xApps can send subscription requests and implement authentication/authorization
# Configure xApp authentication in security policies
# Example: Update xapp-policy.json with required permissions
🧯 If You Can't Patch
- Implement network-level rate limiting and DDoS protection for Near RT-RIC interfaces
- Monitor subscription request patterns and alert on abnormal volumes from xApps
🔍 How to Verify
Check if Vulnerable:
Check if your Near RT-RIC version is pre-fix I-Release and review xApp subscription interface configurations for rate limiting.Check Version:
ricctl version or check Near RT-RIC deployment manifests for version informationVerify Fix Applied:
Test by sending high volumes of subscription requests via xApp interface and verify system remains responsive.📡 Detection & Monitoring
Log Indicators:
- High frequency of subscription requests from single xApp
- Connection failures during gNB registration
- Resource exhaustion warnings in Near RT-RIC logs
Network Indicators:
- Unusual spike in traffic to Near RT-RIC subscription endpoints
- Abnormal request patterns from xApp network segments
SIEM Query:
source="near-rt-ric" AND ("subscription request" OR "connection failed") AND count > threshold