CVE-2024-45238

HIGH

nicmx fort_validator < 1.6.3 - Denial of Service via Malformed RPKI Resource Certificate

Title source: llm

Description

An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.

References (2)

Core 2

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/02/msg00030.html

Vendor Advisory

https://nicmx.github.io/FORT-validator/CVE.html

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 22.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-476

Status published

Products (1)

nicmx/fort_validator < 1.6.3

Published Aug 24, 2024

Tracked Since Feb 18, 2026