Quick take - A critical buffer-overflow vulnerability, designated CVE-2024-45237, has been discovered in the RPKI validator Fort, allowing for remote code execution and posing significant risks to networks utilizing Resource Public Key Infrastructure (RPKI).

Fast Facts

A critical buffer-overflow vulnerability (CVE-2024-45237) in the RPKI validator Fort allows for Remote Code Execution (RCE) on affected systems, posing significant risks to networks using RPKI.
The vulnerability, stemming from a bug in X.509 certificate processing, can be exploited by attackers to manipulate data and trigger a buffer overflow, enabling arbitrary code execution.
Over 100 systems, including major organizations, are running vulnerable versions of Fort, which could lead to malicious route origins, prefix hijacking, and invalidation of legitimate prefix announcements.
Recommendations for mitigating risks include avoiding sensitive data storage on RP servers, implementing network separation, and establishing monitoring solutions to detect breaches.
The analysis highlights the need for improved security practices in RPKI implementations to address potential vulnerabilities and enhance overall network security.

Severe Buffer-Overflow Vulnerability in RPKI Validator Fort

A severe buffer-overflow vulnerability has been identified in the RPKI validator Fort, designated as CVE-2024-45237. This vulnerability has been assigned a critical CVE rating of 9.8, allowing for Remote Code Execution (RCE) on affected machines. This poses significant risks for networks utilizing Resource Public Key Infrastructure (RPKI).

Understanding RPKI and Its Risks

The RPKI system is designed to enhance the security of the Border Gateway Protocol (BGP) by utilizing cryptographic attestations stored in distributed RPKI Publication Points (PPs). Relying Party (RP) clients play a crucial role in this system, as they are responsible for fetching, parsing, and validating RPKI objects. This makes them a central trust point for BGP routers. A compromise of the RP could lead to a downgrade in RPKI protection, adversely impacting routing decisions made by routers.

The vulnerability stems from a bug in the processing of the key-usage extension of X.509 certificates, which are frequently employed in RPKI objects. The flaw allows an attacker to manipulate the length of data copied into a stack array, resulting in a potential buffer overflow. Attackers can exploit this vulnerability by creating a malicious RPKI repository and inserting a specially crafted object designed to trigger the overflow. A Proof-of-Concept (PoC) attack has demonstrated this capability, showing the ability to overwrite the function return pointer and enabling arbitrary code execution.

Exploitation and Impact

The exploitability of the vulnerability may be affected by the compiler setup, including the presence of memory protection mechanisms. However, the attack can be adapted to various environments, and even those with compiler protections can be targeted, although with additional effort. In practical scenarios, exploitation could occur by placing a malicious RPKI object within a live RPKI PP, allowing global RPs to download and process the harmful data.

The vulnerability was introduced into the code repository in January 2019 and affects all Fort versions from Beta-version 2 to version 1.6.2. Over 100 systems, including major organizations, are currently running vulnerable versions of Fort. The compromise of an RP through RCE facilitates arbitrary manipulation of RPKI data, potentially enabling malicious route origins and prefix hijacking. Attackers could also invalidate legitimate prefix announcements by altering RPKI data, leading to data theft, malware installation, or denial-of-service attacks.

Recommendations for Improved Security

The analysis raises concerns regarding the origin of the vulnerability, suggesting both intentional planting and benign coding errors. In light of these findings, the authors emphasize the necessity for improved security practices in RPKI implementations. Recommendations include: