CVEs

CVE-2024-45238

Certificate containing a malformed subjectPublicKey crashes Fort 1.6.2-, when compiled with OpenSSL < 3.

Description A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn’t properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort was recklessly dereferencing the pointer.
Impact Crash. (Potential unavailability of Route Origin Validation.)
Patch Commit 5689dea, released in Fort 1.6.3.
Acknowledgments Thanks to Niklas Vogel and Haya Schulmann for their research and disclosure.

CVE-2024-45237

Certificate containing a Key Usage bit string longer than 2 bytes causes buffer overflow on Fort 1.6.2-.

Description A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a Key Usage extension consisting of more than two bytes of data. Fort used to write this string on a 2-byte buffer without properly sanitizing its length, leading to buffer overflow.
Impact Depending on compilation options, the vulnerability would lead to a crash (which might in turn lead to unavailability of Route Origin Validation), incorrect validation results or arbitrary code execution.
Patch Commit 939d988, released in Fort 1.6.3.
Acknowledgments Thanks to Niklas Vogel and Haya Schulmann for their research and disclosure.

CVE-2024-45235

Certificate containing an Authority Key Identifier missing a keyIdentifier crashes Fort 1.6.2-.

Description A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing an Authority Key Identifier extension missing the keyIdentifier field. Fort was referencing the pointer without sanitizing it first.
Impact Crash. (Potential unavailability of Route Origin Validation.)
Patch Commit b1eb3c5, released in Fort 1.6.3.
Acknowledgments Thanks to Niklas Vogel and Haya Schulmann for their research and disclosure.

CVE-2024-45236

Signed Object containing empty signedAttrs crashes Fort 1.6.2-.

Description A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a signed object containing an empty signedAttributes. Fort was accessing the set’s elements without sanitizing it first.
Impact Crash. (Potential unavailability of Route Origin Validation.)
Patch Commit 4dafbd9, released in Fort 1.6.3.
Acknowledgments Thanks to Niklas Vogel and Haya Schulmann for their research and disclosure.

CVE-2024-45239

Signed Object containing null eContent crashes Fort 1.6.2-.

Description A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a ROA or Manifest containing a null eContent. Fort was dereferencing the pointer without sanitizing it first.
Impact Crash. (Potential unavailability of Route Origin Validation.)
Patch Commit 942f921, released in Fort 1.6.3.
Acknowledgments Thanks to Niklas Vogel and Haya Schulmann for their research and disclosure.

CVE-2024-45234

Certificate containing signedAttrs not in canonical form crashes Fort 1.6.2-.

Description A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a ROA or Manifest containing a signedAttrs encoded in non-canonical form. This bypassed the BER-decoder, reaching a point in the code that panicked when faced with data not encoded in DER.
Impact Crash. (Potential unavailability of Route Origin Validation.)
Patch Commit 521b1a0, released in Fort 1.6.3.
Acknowledgments Thanks to Niklas Vogel and Haya Schulmann for their research and disclosure.

CVE-__-___

(Awaiting CVE ID number assignment.)

Malicious rsync repositories can block Fort by drip-feeding repository objects.

Description A malicious RPKI rsync repository can prevent Fort from finishing its validation run by drip-feeding its content.
Impact Delayed validation. (Stale or unavailable Route Origin Validation.)
Patch Commit 4ee88d1, released in Fort 1.6.4.
Acknowledgments Thanks to Koen van Hove for his research and disclosure, and Job Snijders for the proposed fix.