CVE-2022-24798 – IRRd version 4.2.x improperly exposed password ... (How to Fix)

Q: What is the severity of CVE-2022-24798?

CVE-2022-24798 has a CVSS score of 7.5 (HIGH). IRRd version 4.2.x improperly exposed password hashes in query responses for mntner objects and database exports, allowing attackers to retrieve hashes, brute-force passwords, and make unauthorized changes to IRR objects. This only affects authoritative IRRd instances (not mirrors) that process password hashes. Users of IRRd 4.2.x series are vulnerable.

📋 TL;DR

IRRd version 4.2.x improperly exposed password hashes in query responses for mntner objects and database exports, allowing attackers to retrieve hashes, brute-force passwords, and make unauthorized changes to IRR objects. This only affects authoritative IRRd instances (not mirrors) that process password hashes. Users of IRRd 4.2.x series are vulnerable.

💻 Affected Systems

Products:

IRRd (Internet Routing Registry daemon)

Versions: IRRd 4.2.0 through 4.2.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects IRRd instances serving authoritative databases that process password hashes; mirrors are not affected. IRRd 4.1.x series was never vulnerable.

📦 What is this software?

Internet Routing Registry Daemon by Internet Routing Registry Daemon Project

View all CVEs affecting Internet Routing Registry Daemon →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain password hashes, crack them offline, gain unauthorized access to modify IRR routing objects, potentially causing routing hijacks or BGP misconfigurations affecting network traffic.

🟠

Likely Case

Attackers retrieve password hashes from exposed instances, attempt brute-force attacks, and if successful, make unauthorized modifications to IRR database entries.

🟢

If Mitigated

With proper patching, no exposure occurs; password hashes remain filtered in responses, preventing hash retrieval and subsequent attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires querying the IRRd service to retrieve password hashes, which can be done without authentication via standard IRR queries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: IRRd 4.2.3 or main branch

Vendor Advisory: https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw

Restart Required: Yes

Instructions:

1. Backup current IRRd configuration and data. 2. Stop the IRRd service. 3. Upgrade to IRRd 4.2.3 or later using package manager or source. 4. Restart the IRRd service. 5. Verify the fix by checking version and testing queries.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no known workarounds; upgrading is the only solution.

🧯 If You Can't Patch

Disable or restrict access to the IRRd service from untrusted networks to reduce exposure.
Monitor logs for unusual query patterns or attempts to access mntner objects, and consider temporary service shutdown if patching is delayed.

🔍 How to Verify

Check if Vulnerable:

Check IRRd version: if running 4.2.0 to 4.2.2 and serving authoritative databases, it is vulnerable. Test by querying mntner objects to see if password hashes are exposed in responses.

Check Version:

irrd --version or check service logs/configuration for version info

Verify Fix Applied:

After patching, verify version is 4.2.3 or later, and confirm password hashes are no longer visible in query responses for mntner objects or exports.

📡 Detection & Monitoring

Log Indicators:

Unusual increase in queries for mntner objects, especially from external IPs
Log entries showing hash retrieval attempts in query responses

Network Indicators:

Increased traffic to IRRd port (typically 43 or 4321) with queries targeting mntner objects
Patterns of repeated queries from single sources

SIEM Query:

source="irrd.log" AND (query="*mntner*" OR response_contains="*crypt*" OR response_contains="*hash*")

📊 Metadata

CVE ID: CVE-2022-24798

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-212

Published: March 31, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6 Patch,Third Party Advisory
https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70 Patch,Third Party Advisory
https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw Release Notes,Third Party Advisory
https://github.com/irrdnet/irrd/commit/0e41bae8d3d27316381a2fc7b466597230e35ec6 Patch,Third Party Advisory
https://github.com/irrdnet/irrd/commit/fdffaf8dd71713f06e99dff417e6aa1e6fa84b70 Patch,Third Party Advisory
https://github.com/irrdnet/irrd/security/advisories/GHSA-cqxx-66wh-8pjw Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24798, you might also want to check these: