An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.
History

Mon, 26 Aug 2024 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Fort Validator Project
Fort Validator Project fort Validator
Weaknesses CWE-476
CPEs cpe:2.3:a:fort_validator_project:fort_validator:*:*:*:*:*:*:*:*
Vendors & Products Fort Validator Project
Fort Validator Project fort Validator
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 24 Aug 2024 22:45:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-08-24T00:00:00

Updated: 2024-08-26T16:09:33.187Z

Reserved: 2024-08-24T00:00:00

Link: CVE-2024-45238

cve-icon Vulnrichment

Updated: 2024-08-26T16:09:26.421Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2024-08-24T23:15:04.303

Modified: 2024-08-26T16:35:13.637

Link: CVE-2024-45238

cve-icon Redhat

No data.