Skip to content

Vulnerability in RPKI manifest validation

High severity GitHub Reviewed Published Nov 3, 2020 in RIPE-NCC/rpki-validator-3 • Updated Jan 9, 2023

Package

maven net.ripe.rpki:rpki-validator-3 (Maven)

Affected versions

<= 3.2-2020.10.28.22.25

Patched versions

3.2-2020.10.28.23.06

Description

A vulnerability in RPKI manifest validation exists when objects on the manifest are hidden, or expired objects are replayed. An attacker successfully exploiting this vulnerability could prevent new ROAs from being received or selectively hide ROAs, causing routes to become INVALID.

To exploit this vulnerability, an attacker would need to perform a man in the middle attack on the TLS connection between the validator and an RRDP repository or perform a man in the middle attack against a rsync-only repository.

The update addresses the vulnerability by implementing validation methods from RFC 6486bis and enabling strict validation by default.

References

@ties ties published to RIPE-NCC/rpki-validator-3 Nov 3, 2020
Reviewed Nov 13, 2020
Published to the GitHub Advisory Database Nov 13, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-q76j-58cx-wp5v

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.