CVE-2021-43173
📋 TL;DR
CVE-2021-43173 is a denial-of-service vulnerability in NLnet Labs Routinator where malicious RRDP repositories can stall validation by slowly feeding data to keep connections alive. This causes Routinator to serve outdated data or fail to serve any data at all. Organizations using Routinator for RPKI validation are affected.
💻 Affected Systems
- NLnet Labs Routinator
📦 What is this software?
Routinator by Nlnetlabs
⚠️ Risk & Real-World Impact
Worst Case
Routinator becomes completely unusable, serving no RPKI validation data, potentially causing BGP routing issues or security bypasses.
Likely Case
Validation delays cause outdated RPKI data to be served, potentially allowing invalid BGP routes to be accepted.
If Mitigated
With proper patching, no impact as the timeout logic is fixed to cover complete requests.
🎯 Exploit Status
Exploitation requires control of an RRDP repository that Routinator connects to. The attack is simple to execute once repository control is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.10.2 and later
Vendor Advisory: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt
Restart Required: Yes
Instructions:
1. Download Routinator 0.10.2 or later from NLnet Labs. 2. Stop the Routinator service. 3. Replace the Routinator binary with the patched version. 4. Restart the Routinator service.
🔧 Temporary Workarounds
Use RSRYNC repositories only
allConfigure Routinator to use only RSRYNC repositories instead of RRDP repositories
Edit Routinator configuration to remove or disable RRDP repository URLs
Network filtering
allBlock or rate-limit connections to untrusted RRDP repositories
Use firewall rules to restrict RRDP repository access
🧯 If You Can't Patch
- Monitor Routinator validation times and alert on significant delays
- Implement network controls to limit which RRDP repositories Routinator can connect to
🔍 How to Verify
Check if Vulnerable:
Check Routinator version with 'routinator --version'. If version is below 0.10.2, the system is vulnerable.Check Version:
routinator --versionVerify Fix Applied:
After patching, verify version is 0.10.2 or higher and monitor validation completion times for normal operation.📡 Detection & Monitoring
Log Indicators:
- Unusually long validation times
- RRDP connection timeouts
- Validation runs taking significantly longer than normal
Network Indicators:
- Long-lived TCP connections to RRDP repositories with minimal data transfer
- Repeated connection attempts to the same repository
SIEM Query:
source="routinator" AND ("timeout" OR "validation" AND "delay" OR "RRDP" AND "slow")🔗 References
- https://www.debian.org/security/2021/dsa-5033
- https://www.debian.org/security/2022/dsa-5041
- https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt
- https://www.debian.org/security/2021/dsa-5033
- https://www.debian.org/security/2022/dsa-5041
- https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt
