CVE-2024-1622
📋 TL;DR
Routinator versions 0.14.0 through 0.14.2 contain a vulnerability where the software will crash when an RTR (RPKI-to-Router) connection is reset by the peer too quickly after opening. This is due to improper error handling in the connection management code. Systems running vulnerable versions of Routinator for RPKI validation are affected.
💻 Affected Systems
- Routinator
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Routinator by Nlnetlabs
⚠️ Risk & Real-World Impact
Worst Case
An attacker could repeatedly trigger the crash, causing denial of service for RPKI validation services, potentially disrupting BGP routing security and causing network instability.
Likely Case
Accidental or malicious rapid connection resets cause Routinator to crash, requiring manual restart and causing temporary loss of RPKI validation services.
If Mitigated
With proper network controls and monitoring, the impact is limited to occasional service interruptions that can be quickly restored.
🎯 Exploit Status
Exploitation requires network access to the RTR port (default 3323). The vulnerability is simple to trigger by establishing and immediately resetting TCP connections.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.3
Vendor Advisory: https://www.nlnetlabs.nl/downloads/routinator/CVE-2024-1622.txt
Restart Required: Yes
Instructions:
1. Download Routinator 0.14.3 from NLnet Labs. 2. Stop the current Routinator service. 3. Install the new version. 4. Restart the Routinator service.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to the RTR port (default 3323) to trusted peers only using firewall rules.
iptables -A INPUT -p tcp --dport 3323 -s trusted_peer_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 3323 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to limit RTR port access to authorized BGP routers only.
- Deploy monitoring and automated restart mechanisms to detect and recover from crashes quickly.
🔍 How to Verify
Check if Vulnerable:
Check Routinator version with 'routinator --version'. If version is between 0.14.0 and 0.14.2 inclusive, the system is vulnerable.Check Version:
routinator --versionVerify Fix Applied:
After patching, verify version is 0.14.3 or higher with 'routinator --version'. Test by attempting to trigger the condition with controlled connection resets.📡 Detection & Monitoring
Log Indicators:
- Unexpected Routinator process termination
- RTR connection errors followed by service crash
- Increased restart frequency in system logs
Network Indicators:
- Multiple rapid TCP connections to port 3323 followed by RST packets
- Unusual connection patterns from single sources to RTR port
SIEM Query:
source="routinator.log" AND ("panic" OR "fatal" OR "unexpected termination")🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HPRUIPAI2BBDGFVLN733JLIUJWLEBLF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K52QRRYBHLP73RAS3CGOPBWYT7EZVP6O/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N2N3N3SNBHSH7GN3JOLR7YUF5FCTQQ5O/
- https://www.nlnetlabs.nl/downloads/routinator/CVE-2024-1622.txt
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4HPRUIPAI2BBDGFVLN733JLIUJWLEBLF/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K52QRRYBHLP73RAS3CGOPBWYT7EZVP6O/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N2N3N3SNBHSH7GN3JOLR7YUF5FCTQQ5O/
- https://www.nlnetlabs.nl/downloads/routinator/CVE-2024-1622.txt
