Note that RIC-1001 goes in the same direction and both are related to first implementing A&A on these interfaces.

I would like to report issues related to the potential misuse of the E2Manager API

E2Manager possesses an API that allows users to invoke it for the purpose of shutting down all connected NodeBs.

//E2Manager  shutdown api (Swagger)

path:
/nodeb/shutdown:
    put:
      tags:
        - nodeb
      summary: Close all connections to the RANs
      responses:
        '200':
          description: 'Operation succeeded internally, outbound calls failed'
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RedButtonPartialSuccessResponseModel'
        '204':
          description: Successful operation
        '500':
          description: Internal Error
          content:
            application/problem+json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'

 
Due to the absence of user authentication in API invocation, E2Manager accepts calls from any user, thus providing attackers with an opportunity to disrupt the availability of NodeBs

Impact:

An attacker can utilize the xApp to invoke this API and send a request to E2mgr to shut down all nodeBs.

PoC:

The attachment is a simple example of invoking an API. An attacker can package this program into an xApp to launch an attack.

Use the following command to invoke the API with the HTTP IP address of 'e2mgr'.

./curl <service-ricplt-e2mgr-http_ip>