CVE-2024-34045 is a denial-of-service vulnerability identified in the O-RAN E2T I-Release software, specifically within the Prometheus metric increment function implemented in the sctpThread.cpp source file. The vulnerability arises when the function attempts to increment a counter associated with the E2 setup procedure message peer information, specifically at message.peerInfo->counters[IN_INITI][MSG_COUNTER][ProcedureCode_id_E2setup]->Increment(). This operation can cause the process to crash, likely due to improper handling of resource limits or null pointer dereferences, leading to a failure in the SCTP (Stream Control Transmission Protocol) thread responsible for managing communication metrics. The vulnerability is categorized under CWE-400, which relates to uncontrolled resource consumption or exhaustion, resulting in denial of service. The CVSS v3.1 base score is 7.5 (high), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and impacts availability only (A:H) without affecting confidentiality or integrity. No patches or fixes have been released at the time of publication, and no known exploits have been detected in the wild. The vulnerability affects O-RAN E2T I-Release implementations that utilize Prometheus metrics for monitoring SCTP message counters, which are critical in 5G network infrastructure for managing radio access network communications.

The primary impact of CVE-2024-34045 is a denial-of-service condition that can disrupt the availability of O-RAN E2T components in 5G network environments. Since the vulnerability causes a crash in the SCTP thread responsible for handling metric increments, it can lead to service interruptions or outages in the radio access network communication layer. This disruption can affect network operators' ability to maintain stable and reliable 5G connectivity, potentially degrading user experience and impacting critical services relying on 5G infrastructure. Although confidentiality and integrity are not compromised, the availability impact is significant, especially for telecom operators and service providers deploying O-RAN architectures. The ease of exploitation—requiring no authentication or user interaction—means attackers can remotely trigger the crash, increasing the risk of widespread service disruptions. Organizations relying on O-RAN E2T I-Release for their 5G deployments may face operational challenges and reputational damage if the vulnerability is exploited.

To mitigate CVE-2024-34045, organizations should implement the following specific measures: 1) Immediately monitor O-RAN E2T I-Release instances for abnormal crashes or SCTP thread failures, focusing on Prometheus metric increments related to E2 setup procedures. 2) Employ network-level protections such as rate limiting and traffic filtering to restrict potentially malicious or malformed SCTP messages that could trigger the vulnerability. 3) Isolate critical O-RAN components within segmented network zones to limit exposure to untrusted networks. 4) Engage with O-RAN software vendors and community to obtain patches or updates as soon as they become available, and prioritize timely deployment. 5) Consider implementing application-layer watchdogs or process supervisors that can automatically restart crashed components to minimize downtime. 6) Conduct thorough testing of O-RAN E2T deployments in controlled environments to identify and address any stability issues related to metric handling. 7) Maintain up-to-date incident response plans tailored to telecom infrastructure to quickly respond to potential denial-of-service incidents. These targeted actions go beyond generic advice by focusing on the specific metric increment function and SCTP thread behavior implicated in this vulnerability.