CVE-2021-41531
📋 TL;DR
Routinator versions before 0.10.0 produce invalid RTR payloads when processing ROAs with excessively large max-length values from RPKI CAs. This causes RTR clients like routers to reject RPKI data, disabling Route Origin Validation (ROV) and potentially allowing BGP hijacking. Organizations using Routinator for RPKI validation are affected.
💻 Affected Systems
- NLnet Labs Routinator
📦 What is this software?
Routinator by Nlnetlabs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious ROAs with large max-length values to trigger the bug, causing widespread RPKI validation failures and enabling BGP route hijacking across networks that rely on ROV.
Likely Case
Accidental or misconfigured ROAs from legitimate CAs trigger the bug, causing intermittent RPKI validation failures and degraded ROV protection until Routinator is restarted or patched.
If Mitigated
With proper monitoring and quick patching, impact is limited to temporary ROV degradation without successful exploitation.
🎯 Exploit Status
Exploitation requires ability to publish ROAs with large max-length values to RPKI repositories, which typically requires CA compromise or misconfiguration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.10.0 and later
Vendor Advisory: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-41531.txt
Restart Required: Yes
Instructions:
1. Download Routinator 0.10.0 or later from NLnet Labs. 2. Stop the running Routinator service. 3. Install the new version. 4. Restart the Routinator service.
🔧 Temporary Workarounds
Filter problematic ROAs
allConfigure Routinator to filter or ignore ROAs with excessively large max-length values before they trigger the bug.
# Requires custom configuration or filtering scripts
# No direct command available
Monitor and restart
linuxImplement monitoring for RTR payload validation failures and automatically restart Routinator when detected.
# Set up monitoring for Routinator logs and restart service on error detection
systemctl restart routinator
🧯 If You Can't Patch
- Implement alternative RPKI validation solutions temporarily
- Increase monitoring of BGP routes and RPKI validation status
🔍 How to Verify
Check if Vulnerable:
Check Routinator version: if version is below 0.10.0, system is vulnerable.Check Version:
routinator --versionVerify Fix Applied:
Verify Routinator version is 0.10.0 or higher and check that RTR clients are accepting RPKI data without validation errors.📡 Detection & Monitoring
Log Indicators:
- Routinator logs showing RTR payload generation errors
- RTR client logs rejecting RPKI data
- Increased BGP route changes without RPKI validation
Network Indicators:
- RTR protocol errors between Routinator and clients
- Unusual ROA publications with large max-length values
SIEM Query:
source="routinator.log" AND ("error" OR "invalid" OR "reject")