CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
An issue was discovered in Fort before 1.6.3. A malicious RPKI repository
that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a
resource certificate containing a bit string that doesn’t properly decode
into a Subject Public Key. OpenSSL does not report this problem during
parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort
recklessly dereferences the pointer. Because Fort is an RPKI Relying Party,
a crash can lead to Route Origin Validation unavailability, which can lead
to compromised routing.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | fort-validator | < any | UNKNOWN |
ubuntu | 22.04 | noarch | fort-validator | < any | UNKNOWN |
ubuntu | 24.04 | noarch | fort-validator | < any | UNKNOWN |