CVE-2024-56170
📋 TL;DR
This vulnerability in FORT RPKI validator allows attackers to serve outdated RPKI manifests, causing the system to accept invalid or revoked BGP route origin authorizations. Organizations using FORT for route origin validation in BGP routing are affected, potentially leading to route hijacking or traffic interception.
💻 Affected Systems
- FORT RPKI Validator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Route hijacking where attackers intercept or redirect internet traffic by presenting outdated RPKI manifests that validate revoked or unauthorized BGP routes.
Likely Case
Accidental acceptance of outdated route validation data leading to suboptimal routing or temporary routing issues.
If Mitigated
Minimal impact with proper network monitoring and RPKI validation redundancy.
🎯 Exploit Status
Exploitation requires ability to serve malicious RPKI manifests to the validator, which could be achieved through cache poisoning or compromised RPKI repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.0 or later
Vendor Advisory: https://nicmx.github.io/FORT-validator/CVE.html
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download FORT 2.0.0 or later from official repository. 3. Stop FORT service. 4. Install new version following platform-specific instructions. 5. Restart FORT service. 6. Verify manifest validation is working correctly.
🔧 Temporary Workarounds
Manual manifest freshness checking
linuxImplement external monitoring to verify manifest freshness and alert on outdated manifests
# Example: Check manifest timestamps in cache
find /var/cache/fort -name "*.mft" -exec stat -c '%n %y' {} \;
🧯 If You Can't Patch
- Implement redundant RPKI validation using multiple validators from different vendors
- Increase monitoring of BGP route changes and implement anomaly detection for unexpected routing announcements
🔍 How to Verify
Check if Vulnerable:
Check FORT version: if version is 1.6.4 or earlier and less than 2.0.0, system is vulnerable.Check Version:
fort --versionVerify Fix Applied:
Verify FORT version is 2.0.0 or later and test with known outdated manifests to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple manifest fetches with same manifestNumber but older thisUpdate timestamps
- Warnings about manifest validation inconsistencies
Network Indicators:
- Unexpected BGP route changes following RPKI repository updates
- Traffic patterns suggesting route hijacking
SIEM Query:
source="fort" AND ("manifest" OR "RPKI") AND ("old" OR "outdated" OR "rollback")