CVE-2024-45238

EUVD-2024-41379

24.08.2024, 23:15

An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a resource certificate containing a bit string that doesn't properly decode into a Subject Public Key. OpenSSL does not report this problem during parsing, and when compiled with OpenSSL libcrypto versions below 3, Fort recklessly dereferences the pointer. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 70%

Affected Products (NVD)

Vendor	Product	Version
nicmx	fort_validator	𝑥 < 1.6.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

fort-validator

bookworm	1.5.4-1+deb12u1 fixed
bullseye	vulnerable
bullseye (security)	1.5.3-1~deb11u2 fixed
forky	1.6.7-1 fixed
sid	1.6.7-1 fixed
trixie	1.6.6-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

fort-validator

focal	Fixed 1.2.0-1ubuntu0.1~esm1 released
jammy	Fixed 1.5.3-1ubuntu0.1 released
noble	Fixed 1.6.1-1ubuntu0.1~esm2 released
oracular	ignored
plucky	not-affected
questing	not-affected

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://nicmx.github.io/FORT-validator/CVE.html

https://lists.debian.org/debian-lts-announce/2025/02/msg00030.html