CVE-2024-45239
📋 TL;DR
This vulnerability in FORT RPKI validator allows a malicious RPKI repository to crash the software by serving ROA or Manifest objects with null eContent fields. When exploited, this causes a NULL pointer dereference that leads to service unavailability, affecting organizations using FORT for Route Origin Validation. This impacts routing security by potentially allowing unauthorized route announcements.
💻 Affected Systems
- FORT RPKI Relying Party Software
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete unavailability of Route Origin Validation service leading to BGP hijacking attacks where malicious actors can announce unauthorized routes, potentially redirecting internet traffic through malicious networks.
Likely Case
Service crashes causing temporary loss of RPKI validation, requiring manual restart of FORT service until patched.
If Mitigated
With proper monitoring and rapid restart capabilities, impact is limited to brief service interruptions during exploitation attempts.
🎯 Exploit Status
Exploitation requires control of a malicious RPKI repository that descends from a trusted Trust Anchor, which an attacker could potentially create or compromise.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.3
Vendor Advisory: https://nicmx.github.io/FORT-validator/CVE.html
Restart Required: Yes
Instructions:
1. Download FORT 1.6.3 or later from official repository. 2. Stop FORT service. 3. Install/upgrade to patched version. 4. Restart FORT service. 5. Verify service is running correctly.
🔧 Temporary Workarounds
Restrict RPKI Repository Sources
linuxLimit FORT to only connect to trusted, known-good RPKI repositories to reduce attack surface.
# Edit FORT configuration to whitelist specific repositories
# fort-config --trusted-repos repo1.example.com,repo2.example.com
🧯 If You Can't Patch
- Implement monitoring and automatic restart for FORT service to minimize downtime during crashes
- Deploy redundant FORT instances with load balancing to maintain service availability if one instance crashes
🔍 How to Verify
Check if Vulnerable:
Check FORT version with 'fort --version' or examine installed package version. Versions below 1.6.3 are vulnerable.Check Version:
fort --versionVerify Fix Applied:
After upgrade, run 'fort --version' to confirm version 1.6.3 or higher is installed, then monitor service stability.📡 Detection & Monitoring
Log Indicators:
- FORT process crashes or segmentation faults in system logs
- Service restart messages in FORT logs
- NULL pointer dereference errors
Network Indicators:
- Unusual connections to RPKI repositories
- Multiple connection attempts from same repository
SIEM Query:
source="fort.log" AND ("segmentation fault" OR "NULL pointer" OR "crash")