An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) an ROA or a Manifest containing a signedAttrs encoded in non-canonical form. This bypasses Fort's BER decoder, reaching a point in the code that panics when faced with data not encoded in DER. Because Fort is an RPKI Relying Party, a panic can lead to Route Origin Validation unavailability, which can lead to compromised routing.
References
Link | Resource |
---|---|
https://nicmx.github.io/FORT-validator/CVE.html | Third Party Advisory |
Configurations
History
27 Aug 2024, 15:45
Type | Values Removed | Values Added |
---|---|---|
First Time |
Nicmx
Nicmx fort-validator |
|
CPE | cpe:2.3:a:nicmx:fort-validator:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | NVD-CWE-noinfo | |
References | () https://nicmx.github.io/FORT-validator/CVE.html - Third Party Advisory |
26 Aug 2024, 12:47
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
24 Aug 2024, 23:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-24 23:15
Updated : 2024-08-27 15:45
NVD link : CVE-2024-45234
Mitre link : CVE-2024-45234
CVE.ORG link : CVE-2024-45234
JSON object : View
Products Affected
nicmx
- fort-validator
CWE