CVE-2024-56375
📋 TL;DR
An integer underflow vulnerability in FORT RPKI validator versions 1.6.3 and 1.6.4 allows a malicious RPKI repository to cause a denial of service by serving a Manifest object with an empty fileList. This affects organizations using FORT for Resource Public Key Infrastructure validation, particularly those connecting to untrusted RPKI repositories.
💻 Affected Systems
- FORT RPKI validator
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for RPKI validation services, potentially disrupting BGP route origin validation and causing routing instability.
Likely Case
Service crash requiring manual restart of FORT validator processes, temporarily disrupting RPKI validation.
If Mitigated
Limited impact with proper network segmentation and monitoring that can quickly detect and restart crashed services.
🎯 Exploit Status
Exploitation requires control over an RPKI repository that descends from a trusted Trust Anchor, but the actual exploit mechanism is straightforward once this condition is met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.5
Vendor Advisory: https://nicmx.github.io/FORT-validator/CVE.html
Restart Required: Yes
Instructions:
1. Download FORT 1.6.5 from the official repository. 2. Stop the FORT service. 3. Install the new version following platform-specific installation procedures. 4. Restart the FORT service.
🔧 Temporary Workarounds
Restrict RPKI Repository Access
allLimit FORT validator connections to known, trusted RPKI repositories only.
Configure FORT to use only whitelisted repository URIs in fort.conf
🧯 If You Can't Patch
- Implement monitoring to detect and automatically restart crashed FORT processes.
- Isolate FORT validator from untrusted networks and only allow connections to verified RPKI repositories.
🔍 How to Verify
Check if Vulnerable:
Check FORT version with 'fort --version' or examine installed package version. Versions 1.6.3 or 1.6.4 are vulnerable.Check Version:
fort --versionVerify Fix Applied:
After patching, verify version is 1.6.5 or higher using 'fort --version' and ensure the service runs without crashing when processing RPKI data.📡 Detection & Monitoring
Log Indicators:
- FORT process crashes or restarts
- Error messages related to Manifest processing or array bounds
- Unusual termination of FORT validator service
Network Indicators:
- Unexpected connections to RPKI repositories
- Abnormal traffic patterns to/from FORT validator
SIEM Query:
process_name="fort" AND (event_type="crash" OR exit_code!=0)