CVE-2024-56170

A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI manifests are listings of relevant files that clients are supposed to verify. Assuming everything else is correct, the most recent version of a manifest should be prioritized over other versions, to prevent replays, accidental or otherwise. Manifests contain the manifestNumber and thisUpdate fields, which can be used to gauge the relevance of a given manifest, when compared to other manifests. The former is a serial-like sequential number, and the latter is the date on which the manifest was created. However, the product does not compare the up-to-dateness of the most recently fetched manifest against the cached manifest. As such, it's prone to a rollback to a previous version if it's served a valid outdated manifest. This leads to outdated route origin validation.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://nicmx.github.io/FORT-validator/CVE.html	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nicmx:fort-validator:*:*:*:*:*:*:*:*

History

22 Apr 2025, 15:35

Type	Values Removed	Values Added
First Time		Nicmx Nicmx fort-validator
CPE		cpe:2.3:a:nicmx:fort-validator::::::::
References	~~() https://nicmx.github.io/FORT-validator/CVE.html -~~	() https://nicmx.github.io/FORT-validator/CVE.html - Vendor Advisory

26 Dec 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-18 05:15

Updated : 2025-04-22 15:35

NVD link : CVE-2024-56170

Mitre link : CVE-2024-56170

CVE.ORG link : CVE-2024-56170

JSON object : View

Products Affected

nicmx

fort-validator

CWE

CWE-346

Origin Validation Error

{"id": "CVE-2024-56170", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2024-12-18T05:15:09.093", "references": [{"url": "https://nicmx.github.io/FORT-validator/CVE.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI manifests are listings of relevant files that clients are supposed to verify. Assuming everything else is correct, the most recent version of a manifest should be prioritized over other versions, to prevent replays, accidental or otherwise. Manifests contain the manifestNumber and thisUpdate fields, which can be used to gauge the relevance of a given manifest, when compared to other manifests. The former is a serial-like sequential number, and the latter is the date on which the manifest was created. However, the product does not compare the up-to-dateness of the most recently fetched manifest against the cached manifest. As such, it's prone to a rollback to a previous version if it's served a valid outdated manifest. This leads to outdated route origin validation."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de integridad de validaci\u00f3n en Fort hasta 1.6.4 antes de 2.0.0. Los manifiestos RPKI son listas de archivos relevantes que los clientes deben verificar. Suponiendo que todo lo dem\u00e1s sea correcto, se debe priorizar la versi\u00f3n m\u00e1s reciente de un manifiesto sobre otras versiones, para evitar repeticiones, accidentales o de otro tipo. Los manifiestos contienen los campos manifestNumber y thisUpdate, que se pueden usar para medir la relevancia de un manifiesto determinado, en comparaci\u00f3n con otros manifiestos. El primero es un n\u00famero secuencial de tipo serial y el segundo es la fecha en la que se cre\u00f3 el manifiesto. Sin embargo, el producto no compara la actualidad del manifiesto obtenido m\u00e1s recientemente con el manifiesto almacenado en cach\u00e9. Como tal, es propenso a una reversi\u00f3n a una versi\u00f3n anterior si se entreg\u00f3 un manifiesto desactualizado v\u00e1lido. Esto conduce a una validaci\u00f3n de origen de ruta desactualizada."}], "lastModified": "2025-04-22T15:35:05.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nicmx:fort-validator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A7AF0CB2-A742-4215-8885-81068A9382B3", "versionEndIncluding": "1.6.6"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}