Dear O-RAN Software Community

I'd like to report the crash related to E2Term.

Following the correct E2AP setup procedure, E2node must first send an E2setupRequest to E2Term to request the establishment of a connection.

However, if E2node does not send the message according to the correct procedure, it can lead to E2Term crashing.

For example, if E2Node sends RIC_indication or E2serviceUpdate right from the start without sending E2setupRequest beforehand, E2Term will crash upon receiving these messages.

In other words, if the first message sent is E2setupRequest, then sending RIC_indication or E2serviceUpdate afterward will not result in a crash.

After testing, it was found that sending RICindications, RICsubscriptionRequests, E2service Updates, and E2NodeConfiguration updates all lead to crashes.

Impact:

The attacker can trigger incorrect message flows leading to E2term crashes by sending this type of packet to E2Term through E2node.

PoC:

The attachment includes two crash result diagrams and the packet that caused the crash. We can easily trigger the crash by sending this packet through port 36422 of E2Term.